Biometric Technology Application Manual - ITI Observatorio ...
Biometric Technology Application Manual - ITI Observatorio ...
Biometric Technology Application Manual - ITI Observatorio ...
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
<strong>Biometric</strong> <strong>Technology</strong><br />
<strong>Application</strong> <strong>Manual</strong><br />
Volume 1<br />
<strong>Biometric</strong> Basics<br />
Compiled and Published by<br />
National <strong>Biometric</strong> Security Project<br />
Revised:<br />
Summer 2008
<strong>Biometric</strong> <strong>Technology</strong> <strong>Application</strong> <strong>Manual</strong> Volume 1 iii<br />
Table of Contents<br />
Abstract ...........................................................................................ix<br />
About the <strong>Biometric</strong> <strong>Technology</strong> <strong>Application</strong><br />
<strong>Manual</strong> (BTAM) .......................................................................ix<br />
About the National <strong>Biometric</strong> Security Project ..........x<br />
Purpose and Objectives .....................................................xi<br />
Volume 1: <strong>Biometric</strong>s Basics ......................................... xiii<br />
Volume 2: Applying <strong>Biometric</strong>s ................................... xiii<br />
Intended Audience ............................................................ xv<br />
Disclaimer ............................................................................. xvi<br />
Updates and Errata ............................................................ xvi<br />
Foreword ..............................................................................xvii<br />
Section 1: Introduction ..............................................................1<br />
Levels of Identification ........................................................ 1<br />
<strong>Biometric</strong>s for Identity Management ............................ 6<br />
Section 2: Fundamentals of <strong>Biometric</strong>s ...............................1<br />
The Origin of <strong>Biometric</strong>s 7 ................................................... 1<br />
How <strong>Biometric</strong> Technologies Work—In General ...........5<br />
Overview of <strong>Application</strong>s ................................................10<br />
Errors and Error Rates ........................................................13<br />
Failure to Acquire ................................................................16<br />
Personal <strong>Biometric</strong> Criteria ..............................................17<br />
<strong>Biometric</strong> System-Level Criteria ....................................18<br />
Key Elements of <strong>Biometric</strong> Systems 15 ..........................19<br />
<strong>Biometric</strong> Performance Metrics .....................................29<br />
Template Storage Considerations ................................33<br />
Terms and Definitions Related to <strong>Biometric</strong>s ...........37<br />
Section 3: Types of <strong>Biometric</strong> Technologies .......................1<br />
Dynamic Signature Analysis ............................................. 2<br />
Facial Imaging or Recognition ......................................... 5<br />
Fingerprint .............................................................................12<br />
Hand Geometry ...................................................................18<br />
Iris Recognition ....................................................................21<br />
Keystroke Analysis/Keystroke Dynamics ...................25<br />
Palmprint ...............................................................................30<br />
Version 2 – Summer 2008
Volume I iv Table of Contents<br />
Retinal Scan ..........................................................................32<br />
Skin Spectroscopy/Skin Texture/Skin Contact ........35<br />
Speaker Verification ...........................................................38<br />
Vascular <strong>Biometric</strong>s ............................................................43<br />
Other <strong>Biometric</strong> Technologies .......................................62<br />
Section 4: The <strong>Biometric</strong> System Design Process .................1<br />
System Concept Development ....................................... 2<br />
Operational Considerations and Constraints ............. 5<br />
The Requirements Definition ........................................... 7<br />
The System Specification .................................................12<br />
<strong>Biometric</strong> Access Control ................................................14<br />
The Architectural Aspects of an Automated Access<br />
Control Portal .......................................................................24<br />
Critical Performance Expectations ...............................29<br />
Examples of Access Control Systems ..........................34<br />
Section 5: Structure of <strong>Biometric</strong> Standards ..................... 1<br />
Introduction ............................................................................ 1<br />
Current Work in <strong>Biometric</strong> Standards<br />
Development..... ..................................................................14<br />
International Standards Organizations ......................15<br />
BioAPI Consortium .............................................................26<br />
Common <strong>Biometric</strong> Exchange Framework Format<br />
(CBEFF) ....................................................................................27<br />
ANSI NIST Standards ..........................................................29<br />
<strong>Biometric</strong> Consortium .......................................................30<br />
Other Standards ..................................................................31<br />
Best Practices in Standards Development ................32<br />
Section 6: Testing and Evaluation ..........................................1<br />
Introduction ............................................................................ 1<br />
Understanding <strong>Biometric</strong> System Performance ....... 3<br />
Comparison of Types of Testing ...................................... 6<br />
<strong>Technology</strong> Testing .............................................................. 7<br />
Scenario Testing .................................................................... 8<br />
Operational Testing .............................................................. 8<br />
ROC, DET, CMC Curves .....................................................13<br />
Version 2 – Summer 2008
<strong>Biometric</strong> <strong>Technology</strong> <strong>Application</strong> <strong>Manual</strong> Volume 1 v<br />
Measuring <strong>Biometric</strong> Performance ..............................16<br />
Performance Measures .....................................................18<br />
The Qualified Products List .................................................20<br />
The NBSP/BSI QPL Performance Test ...........................21<br />
Demographics .....................................................................22<br />
Sample Size ...........................................................................22<br />
The NBSP/BSI Conformance Test ..................................23<br />
Other Types of Testing ......................................................25<br />
Vulnerability Testing ..........................................................25<br />
Security Testing ...................................................................27<br />
Interoperability Testing ....................................................28<br />
ISO/IEC 17025 Accreditation ..........................................28<br />
Other Testing Considerations.........................................30<br />
Scalability and Usability ...................................................30<br />
Compliance with Standards ...........................................31<br />
Testing Protocols .................................................................34<br />
Evaluation Protocols ..........................................................36<br />
<strong>Technology</strong> and Product Evaluations .........................37<br />
Testing Organizations .......................................................41<br />
Section 7: <strong>Biometric</strong> Social and Cultural Implications ...1<br />
Section 7, Part I: Societal Issues—Legal<br />
Considerations and Implications .................................... 1<br />
U.S. Law and Implications .................................................. 8<br />
Impact on Civil Liberties 87 ................................................14<br />
Implications for Federal Agencies ................................16<br />
International Considerations ..........................................18<br />
Summary ................................................................................34<br />
Section 7, Part II: Societal Issues—Privacy<br />
Considerations .....................................................................35<br />
Summary ................................................................................72<br />
Section 7, Part III: Societal Issues—User Acceptance<br />
Considerations ....................................................................72<br />
Section 8: Trends and Implications .......................................1<br />
Trends ....................................................................................... 2<br />
Implications ..........................................................................11<br />
Summary ................................................................................16<br />
Version 2 – Summer 2008
Volume I vi Table of Contents<br />
Bibliography and References ...................................................1<br />
Legal Cases Cited ....................................................................... 12<br />
Acknowledgments .................................................................... 13<br />
BTAM Index .....................................................................................1<br />
Version 2 – Summer 2008
<strong>Biometric</strong> <strong>Technology</strong> <strong>Application</strong> <strong>Manual</strong> Volume 1 vii<br />
List of Figures<br />
Figure 1-1 A complete identity management system. 7<br />
Figure 2-1 Chart demonstrating “Bertillonage”<br />
measurements. .............................................................................. 2<br />
Figure 2-2 Generic <strong>Biometric</strong> Process....................................... 5<br />
Figure 2-3 Diagram of a “generic” biometric-based system.6<br />
Figure 2-4 Minutia-based fingerprint image with detected<br />
minutia points marked. ....................................25<br />
Figure 2-5 Example of decision threshold for an iris<br />
recognition system. ...........................................28<br />
Figure 2-6 Graphs showing intersection between FAR<br />
and .................................................FRR for verification.<br />
30<br />
Figure 3-1 Examples of fingerprint ridge patterns. ..........13<br />
Figure 3-2 Minutia-based fingerprint image with detected<br />
minutia points marked. ....................................15<br />
Figure 3-3 Iris image showing unique structure. .........21<br />
Figure 3-4 An iris image with an IrisCode ® . ....................22<br />
Figure 3-5 Example of palmprint patterns. ....................30<br />
Matrix I Comparison of <strong>Biometric</strong> Technologies –<br />
Matrix I ....................................................................47<br />
Matrix II Comparison of <strong>Biometric</strong> Technologies –<br />
Version 2 – Summer 2008
Volume I viii Table of Contents<br />
Matrix II ..................................................................56<br />
Figure 3-6 Structure of the external ear. ............................. 66<br />
Figure 4-1 ...................................................................................24<br />
Figure 4-2 ...................................................................................28<br />
Figure 5-1 Structure of <strong>Biometric</strong> Standards ................... 3<br />
Figure 5-2 <strong>Biometric</strong> Standards Activities ......................25<br />
Sec. 6 Comparison of Algorithm, Scenario, and Operational<br />
Testing ....................................................................11<br />
Figure 6-1 Example ROC curve. ..........................................13<br />
Figure 6-2 Example DET curve. ...........................................14<br />
Figure 6-3 Example CMC curve. .........................................15<br />
Version 2 – Summer 2008
<strong>Biometric</strong> <strong>Technology</strong> <strong>Application</strong> <strong>Manual</strong> Volume 1 ix<br />
Abstract<br />
About the <strong>Biometric</strong> <strong>Technology</strong><br />
<strong>Application</strong> <strong>Manual</strong> (BTAM)<br />
Published by the National <strong>Biometric</strong> Security Project<br />
(NBSP), the <strong>Biometric</strong> <strong>Technology</strong> <strong>Application</strong> <strong>Manual</strong><br />
(BTAM) is a comprehensive reference manual on biometric<br />
technology applications. This reference book, in three<br />
volumes, has been compiled for biometric technology<br />
users and for those who are evaluating biometrics as an<br />
enabling technology within an integrated system or program<br />
for security and identification management. The<br />
BTAM is intended to be a rational and practical tool for<br />
those who specify, buy, integrate, operate, and manage<br />
biometric technology-based systems.<br />
The experienced biometric practitioner will see much<br />
that is familiar in the BTAM. The publication is not<br />
a revelation of new content. Rather, it is designed to<br />
inform the rapidly growing community of new users,<br />
designers, and integrators, and assist them in their search<br />
for practical application solutions. Hopefully, it will<br />
prove to be the standard desktop reference on the subject<br />
of biometrics for all levels of interest and experience.<br />
Generally, this manual has been compiled for and is intended<br />
for individuals and organizations with responsibility<br />
for protecting civil infrastructure and related applications<br />
including, but are not limited to:<br />
•<br />
•<br />
Civil infrastructure agencies<br />
Other government agencies<br />
Version 2 – Summer 2008
Volume I x Abstract<br />
•<br />
•<br />
•<br />
•<br />
Private sector<br />
Academic institutions<br />
International organizations, businesses, groups, and<br />
governments<br />
Consultants and practitioners in biometrics<br />
About the National <strong>Biometric</strong> Security<br />
Project<br />
The National <strong>Biometric</strong> Security Project (NBSP) is a tax exempt,<br />
nonprofit 501(c)(3) organization incorporated and<br />
headquartered in Bowie, MD. It is designed to perform<br />
independent public services in support of anti-terrorist<br />
and homeland security objectives. That service provides<br />
unbiased support in the application of biometric technology<br />
from the development of standards to focused<br />
testing, research, training, and education for all public<br />
and private sectors with responsibility for security of the<br />
civilian national infrastructure.<br />
The organization is designed for vigorous and economical<br />
mission performance from its laboratory, the <strong>Biometric</strong><br />
Services International, LLC (BSI) located in Morgantown,<br />
West Virginia, that provides testing, training, and<br />
data services exclusively in biometric-related subjects.<br />
Testing services include objective certification of products<br />
based on a general set of criteria common to all<br />
biometric technology and standards conformance for<br />
listing on a general Qualified Products List (QPL), as well<br />
as specialized testing for homeland security applications<br />
and other special client needs. Training programs focus<br />
on general orientation, operator/user training, and certi-<br />
Version 2 – Summer 2008
<strong>Biometric</strong> <strong>Technology</strong> <strong>Application</strong> <strong>Manual</strong> Volume 1 xi<br />
fied technician training. Data Services provides reference<br />
materials in hard and web-based versions and maintains<br />
special databases for support of biometric and identity<br />
management activities.<br />
NBSP’s permanent staff is efficiently supplemented, as required,<br />
by external organizations contracted to perform<br />
substantive research and technical work, highly specialized<br />
and experienced consultants, and research organizations<br />
focused on biometric or identity matters, such as<br />
the Center for Identification <strong>Technology</strong> Research (CITeR)<br />
at West Virginia University and other academic institutions<br />
associated with CITeR.<br />
Purpose and Objectives<br />
•<br />
•<br />
•<br />
•<br />
•<br />
Learning and comparing how various biometric technologies<br />
perform and have performed in real-world<br />
applications (both successfully and unsuccessfully),<br />
and why.<br />
Providing a means to evaluate various biometric solutions<br />
based on specific application parameters and<br />
requirements.<br />
Determining where, when, and why a biometricbased<br />
solution is a good fit, or when, where, and why<br />
it is not.<br />
Supporting technology evaluation by defining the<br />
questions to ask, identifying other considerations<br />
and understanding the issues generated by the need<br />
for interoperability.<br />
Helping to answer such questions as: How do I evalu-<br />
Version 2 – Summer 2008
Volume I xii Abstract<br />
ate various systems? How do I integrate/apply the<br />
technology? How do I use the technology? What is<br />
the best technology for my application?<br />
The BTAM is published in three parts: Volume 1, Volume<br />
2, and Volume 3,which also includes an Appendix. These<br />
volumes are different from other textbooks and research<br />
reports on biometrics because they are: (1) specifically<br />
focused on the practical needs of the new user as well<br />
as the more familiar practitioner; and (2) are maintained<br />
on a current basis to avoid short shelf-life. The BTAM is<br />
designed to treat real world requirements in a “how to”<br />
approach that goes beyond theory but avoids inundating<br />
the reader in technical detail.<br />
There is a significant volume of valuable work on the<br />
subject of biometrics by many authors. The BTAM was<br />
not published to replace that body of work, but rather to<br />
compile some of the best of that content in an organized<br />
and focused product with emphasis on the user. Equally<br />
important, the objective of the BTAM is to help solve the<br />
issue of short shelf-life of biometric publications in a rapidly<br />
evolving technology base by including a process for<br />
regular updating of each volume.<br />
In researching and compiling the BTAM, the authors relied<br />
heavily on secondary research from already-published,<br />
public sources. For a list of the reference materials,<br />
authors, publications, and other sources used and<br />
referenced in this compilation, please see appropriate<br />
footnotes as well as the Bibliography.<br />
Volume 1: <strong>Biometric</strong> Basics (updated<br />
Version 2 – Summer 2008
<strong>Biometric</strong> <strong>Technology</strong> <strong>Application</strong> <strong>Manual</strong> Volume 1 xiii<br />
Summer 2008)<br />
Volume 1 is a primer on biometrics as it presents and defines<br />
biometrics, including:<br />
•<br />
•<br />
•<br />
•<br />
•<br />
•<br />
The types and fundamentals of the various technologies<br />
and how they work;<br />
How system requirements should be defined and the<br />
appropriate performance specifications to consider;<br />
An update on biometric standards development;<br />
Why biometric standards are critical to integrating<br />
full-solution systems;<br />
Insight regarding testing protocols and system<br />
evaluation;<br />
Description of the various societal issues—legal, privacy,<br />
and user psychology—that are critical to selecting<br />
and implementing a successful biometric-based<br />
security and identification management solution.<br />
Volume 2: Applying <strong>Biometric</strong>s<br />
Volume 2 is the follow-up to Volume 1, moving from<br />
the basic information about biometrics more generally<br />
to specific case studies and applications. A common<br />
theme throughout Volume 2 addresses the issue of what<br />
a buyer/end-user needs to know to make an informed<br />
decision about which technologies will work best for a<br />
given application. This is supplemented with case studies<br />
of biometric technologies—why the technology worked<br />
Version 2 – Summer 2008
Volume I xiv Abstract<br />
(or didn’t work); and why it was chosen over other options.<br />
<strong>Application</strong>s presented are both United States and<br />
non-United States, and include civil infrastructure (both<br />
government and private sector), state and regional, and<br />
urban and local examples.<br />
Additionally, Volume 2 helps the reader assess system<br />
selection and management; define security needs and<br />
objectives; design and integrate biometrics; understand<br />
and plan for maintenance and system services; and design<br />
and implement appropriate user and operator training<br />
programs.<br />
Sections to be included in the BTAM Volume 2 include 1 :<br />
Section 9: System Requirements and Selection<br />
Section 10: <strong>Application</strong>s and Design<br />
Section 11: Integration and Installation<br />
Section 12: Operations and Management<br />
Section 13: Maintenance and Services<br />
Section 14: Training<br />
<strong>Biometric</strong> <strong>Application</strong> Case Studies<br />
Appendices<br />
a.<br />
<strong>Biometric</strong> Selection and <strong>Application</strong> Checklist<br />
1 Section titles and content are subject to change prior to pub-<br />
lication of BTAM Volumes 2 and 3.<br />
Version 2 – Summer 2008
<strong>Biometric</strong> <strong>Technology</strong> <strong>Application</strong> <strong>Manual</strong> Volume 1 xv<br />
b.<br />
c.<br />
d.<br />
e.<br />
Internet Resources<br />
<strong>Biometric</strong> Publications<br />
Education and Training Resources<br />
Industry Associations<br />
Volume 3: <strong>Biometric</strong> Case Studies, Best<br />
Practices, and Business Cases<br />
Volume 3 will be the largest collection available of case<br />
studies, to date, and will include end-user interface evaluation<br />
and privacy impact details. Volume 3 will be segmented<br />
into government, private, and education applications.<br />
Topics that will be discussed include:<br />
•<br />
•<br />
•<br />
Identification of large and small-scale government,<br />
private industry, and educational applications of<br />
biometrics<br />
Input from end-user representatives of these programs<br />
to produce case studies of the biometric applications<br />
to include privacy impact details, as available<br />
Evaluations and details of business cases for large<br />
and small-scale programs.<br />
Intended Audience<br />
This manual is predominantly intended for individuals<br />
with responsibility for security and protection of the civil<br />
infrastructure and related applications. Those who will<br />
Version 2 – Summer 2008
Volume I xvi Abstract<br />
find this manual helpful include, but are not limited to:<br />
•<br />
•<br />
•<br />
•<br />
•<br />
•<br />
•<br />
•<br />
•<br />
Security directors/managers in both the private and<br />
public sectors<br />
Chief Security Officers (CSO)<br />
Chief Information Officers (CIO)<br />
Chief Information Security Officers (CISO)<br />
Chief Privacy Officers (CPO)<br />
Infrastructure Assurance and Risk Assurance Managers<br />
Site security officials in both the private and public<br />
sectors<br />
<strong>Biometric</strong>s and security systems integrators<br />
Vendors who seek insight on the requirements for<br />
their products<br />
Disclaimer<br />
The National <strong>Biometric</strong> Security Project (NBSP) and the<br />
<strong>Biometric</strong> <strong>Technology</strong> <strong>Application</strong> <strong>Manual</strong> (BTAM) do not<br />
and cannot provide legal advice nor is the BTAM a substitute<br />
for professional engineering design support. The<br />
information in this publication is for general information<br />
purposes only. None of the information contained in<br />
Volume 1, Volume 2, and Volume 3, is intended to be or<br />
should be relied upon as specific or definitive for designing<br />
a particular program, system, process, or legal policy.<br />
The reader should obtain the advice of a suitably quali-<br />
Version 2 – Summer 2008
<strong>Biometric</strong> <strong>Technology</strong> <strong>Application</strong> <strong>Manual</strong> Volume 1 xvii<br />
fied engineer, attorney, or experienced practitioner before<br />
taking any action in the application and use of any of<br />
the information contained in this publication.<br />
Updates and Errata<br />
NBSP intends to regularly update the BTAM with new and<br />
revised material from all relevant sources. NBSP is also<br />
interested in the comments and feedback of its readers.<br />
Every effort has been made to contact copyright holders<br />
for content and images used in this manual. The publisher<br />
apologizes in advance for any unintentional omissions<br />
and will insert appropriate acknowledgments in subsequent<br />
editions of the publication.<br />
Foreword<br />
Few would theoretically deny the unique nature of each<br />
member of the human race. In virtually every aspect of<br />
our being, people demonstrate combinations of characteristics,<br />
physical, emotional, and behavioral, which<br />
set us apart from everyone else on the planet, including<br />
those who preceded us here. Acknowledging the unique<br />
quality of each human life has not, unfortunately, always<br />
supported a further recognition that our “uniqueness”<br />
deserves the dignity, respect, and equality that should be<br />
afforded every individual. Perhaps our historical inability<br />
to measure that quality of “uniqueness” has contributed<br />
to the lapses between the theoretical acceptance of our<br />
unique nature and the social errors that ignore our individuality.<br />
One of the greatest social documents in the history of<br />
Version 2 – Summer 2008
Volume I xviii Abstract<br />
civilization declares “all men are created equal....”; yet<br />
through ignorance or deviousness, many have worked<br />
throughout history to deny us that equality and even<br />
our individuality. An argument may be made that technology<br />
that supports proof of our unique human quality,<br />
also supports our equality under creation. From that<br />
perspective, the science or technology of identification<br />
should be viewed as one of the most significant developments<br />
in the history of man.<br />
Mankind has searched from antiquity for a method or<br />
device to assert and affirm individual identity. In those<br />
communications or transactions requiring some assurance<br />
of authority or non-repudiation, some sign or seal<br />
became a necessary component to validate or certify the<br />
execution of the action. So, still today, we require at least<br />
a signature to complete the deal.<br />
The search for the perfect assurance of identity or “uniqueness”<br />
is not over. But the technology of biometrics addressed<br />
by this manual has clearly established that such<br />
an objective is not only achievable, but is in early practical<br />
form, ready and waiting for effective use.<br />
The issue of how this technology impacts the treasured<br />
right of or desire for “privacy” and our “civil liberties” is a<br />
valid concern. Any advance in automated human identification<br />
can be a double-edged sword; abused by those<br />
who dismiss the importance of the individual for the<br />
“greater good,” but also holding the potential as a tool for<br />
enhanced individuality and protection of identity when<br />
used properly. Achieving the proper balance is also discussed<br />
later in this work.<br />
The term “biometrics” is derived from the function of<br />
measuring biological characteristics. For purposes of<br />
Version 2 – Summer 2008
<strong>Biometric</strong> <strong>Technology</strong> <strong>Application</strong> <strong>Manual</strong> Volume 1 xix<br />
this manual, biometrics is used to generally describe the<br />
art and science of capturing a personal characteristic,<br />
feature, or trait, for subsequent use in a system or subsystem<br />
designed for automated human identification or<br />
recognition.<br />
<strong>Biometric</strong>s is not an overnight sensation. The years of<br />
development of the technology are now in the fourth<br />
decade if confined to its automated form, and can be<br />
measured in centuries if it includes all rational attempts<br />
to measure and compare human characteristics. As in<br />
many other areas, advances in computer technology<br />
also accelerated the capabilities and quality of biometric<br />
technology. In studying its potential and considering<br />
specific applications for use, it is important to appreciate<br />
its substantive qualities and inherent limitations. Make<br />
no mistake however, there is no equivalent substitute for<br />
biometrics in the automated human identification function,<br />
and any claim to the contrary, including those who<br />
assert we can rely on “something we have” or “something<br />
we know” without biometrics, must be treated with great<br />
skepticism. Later in the manual, distinctions between<br />
this assertion and other functions such as authentication<br />
(where other alternatives with or without biometrics do<br />
exist) will be clarified.<br />
<strong>Biometric</strong>s are not only here to stay as the best component<br />
of an automated identification program but have<br />
hardly begun to scratch the surface in responding to<br />
the need for the ultimate measure and validation of our<br />
unique individual nature.<br />
Version 2 – Summer 2008
<strong>Biometric</strong> <strong>Technology</strong> <strong>Application</strong> <strong>Manual</strong> Section 1 1<br />
Section 1: Introduction<br />
Levels of Identification<br />
<strong>Biometric</strong> technologies are automated methods for recognizing<br />
individuals based on biological and behavioral<br />
characteristics.<br />
<strong>Biometric</strong> technology involves the capture and storage<br />
of a distinctive, measurable characteristic, feature, or trait<br />
of an individual for subsequently recognizing that individual<br />
by automated means.<br />
Automated methods of recognizing a person based on a<br />
biological or behavioral characteristic is the basic tenet<br />
underlying biometrics. As a “modern day” technology,<br />
biometrics has been around since the 1960s. <strong>Biometric</strong><br />
authentication is the “automatic,” “real-time,” “non-<br />
forensic” subset of the broader field of human identification.<br />
2 Humans recognize each other according to their<br />
various characteristics. For example, friends, family, and<br />
co-workers recognize each other by faces and voices.<br />
A biometric system is essentially a pattern recognition<br />
system that recognizes a person by comparing the binary<br />
code of a uniquely specific biological or physical<br />
characteristic to the binary code of the stored characteristic.<br />
Samples are taken from individuals to see if there is<br />
similarity to biometric references previously taken from<br />
known individuals. The system then applies a specialized<br />
mathematical algorithm to the sample and converts<br />
2 Fundamentals of <strong>Biometric</strong> Authentication Technologies. James L.<br />
Wayman. National <strong>Biometric</strong> Test Center. Used with permission.<br />
Version 2 – Summer 2008
Section 1 2 Introduction<br />
it into a binary code and then compares it to the template<br />
sample to determine if the individual can be recognized.<br />
In the case of access control, a person requesting<br />
access will be asked to submit a sample and (often,<br />
but not always) claim an “identity” or “oneness of source”<br />
with a template already stored. If the acquired sample is<br />
adequately similar to the claimed stored template, the<br />
access authorizations for the template can be checked<br />
and applied to the live person now seeking access. A<br />
reference model or reference containing the biometric<br />
properties of a person is stored in the system (generally<br />
after data compression) by recording his/her characteristics.<br />
These characteristics may be acquired several times<br />
during enrollment in order to get a reference profile that<br />
corresponds most with reality.<br />
Establishing human identity (“oneness” with a person<br />
already known to the system) reliably and conveniently<br />
has become a major challenge for a modern-day society.<br />
The explosive growth in Internet connectivity and<br />
human mobility has led to new models of person-to-person<br />
interaction that require new ways of proving identity,<br />
establishing trust, and authorizing access. <strong>Biometric</strong><br />
technologies developed in response to this growing<br />
worldwide demand for automated human identification<br />
include—as discussed in this manual—finger, face, hand,<br />
iris, and other identifiers. All of these rely on the science<br />
of pattern recognition to establish an individual’s identity<br />
based on stable physical patterns on his/her body.<br />
Today’s technology has reached a level of maturity that<br />
biometrics are now relied upon by an increasing number<br />
of applications in security, identity programs, and identity<br />
management systems. 3<br />
3 From The Science and <strong>Technology</strong> of <strong>Biometric</strong>s and Managing Human<br />
Identity. Joseph Atick, Identix, Inc.<br />
Version 2 – Summer 2008
<strong>Biometric</strong> <strong>Technology</strong> <strong>Application</strong> <strong>Manual</strong> Section 1 3<br />
This measurable characteristic, the biometric, can be<br />
primarily anatomical—such as eye, face, finger image,<br />
hand, and voice—or primarily behavioral—such as signature<br />
and typing rhythm, but most biometrics combine<br />
both anatomical and behavioral components. The biometric<br />
system must be able to identify a person based<br />
on one or a combination of these biometric identifiers<br />
quickly, automatically, and with little or no human intervention<br />
in the decision.<br />
With biometric technology, a more robust level of security<br />
and protection can be achieved in the identification<br />
component of access control, ID, and verification<br />
programs.<br />
Three basic means or levels of identification are often<br />
referred to in identity management functions:<br />
•<br />
•<br />
•<br />
The lowest level is defined as “something you have”<br />
in your possession, such as an ID badge with a photograph<br />
on it.<br />
The second level is “something you know,” such as a<br />
password used with computer login or PIN code to<br />
use at a bank ATM.<br />
The highest level is “who you are,” which encompasses<br />
biometrics - the measurement of physical characteristics<br />
or traits.<br />
It is important to note that biometric technologies, even<br />
at their best, are not the panacea to security and identification<br />
issues. To achieve the most robust level of security,<br />
biometric technologies need to be part of a broader<br />
and complete risk management system that incorporates<br />
multiple security technologies.<br />
Version 2 – Summer 2008
Section 1 4 Introduction<br />
There are several mature biometric systems available in<br />
the market today and many successful applications of<br />
biometric technology. The technology has proven capable<br />
of decreasing costs and increasing convenience<br />
for both users and system administrators. Furthermore,<br />
properly employed these systems are capable of improving<br />
privacy and resisting identity theft.<br />
One of the major impediments to widespread implementation<br />
of biometric technologies at the consumer level is<br />
the wide variety of competing, vendor-proprietary devices<br />
that have been developed without general standardization.<br />
The primary barriers to using biometrics more<br />
broadly in the private sector have had to do with limited<br />
compliance with existing standards, scalability of the systems,<br />
interoperability, usability, security, buyer concerns<br />
about return on investment (ROI), and issues concerning<br />
attacks on privacy. Each of these barriers have reasonable<br />
solutions or are susceptible to an effective and acceptable<br />
compromise..<br />
The costs of biometric devices and software have declined<br />
rapidly over recent years and the technology is now being<br />
offered as a standard component in a number of security<br />
applications, such as laptop computer login and<br />
facility access control. In addition, significant increases in<br />
computing power, along with continuing advancements<br />
in biometric software algorithms and sensor hardware,<br />
have resulted in vastly improved speed and accuracy for<br />
the more widely used biometric methods. Since the tragic<br />
events of September 11, 2001, governments have rushed<br />
to embrace biometrics as a key component in their multilayered<br />
security systems for anti-terrorism and homeland<br />
security applications such as border control.<br />
Utilized in isolation or integrated with other technolo-<br />
Version 2 – Summer 2008
<strong>Biometric</strong> <strong>Technology</strong> <strong>Application</strong> <strong>Manual</strong> Section 1 5<br />
gies, such as smart cards, encryption keys, and digital signatures,<br />
biometrics are poised to pervade all aspects of<br />
the economy. Utilizing biometrics for personal authentication<br />
is more secure than current keys, passwords,<br />
and PINs since it verifies the identity of a specific person<br />
rather than confirming the validity of a number or<br />
the possession of a card or token. With the rapid growth<br />
of electronic commerce there is a growing need to authenticate<br />
the identity of a person for secure transaction<br />
processing. <strong>Biometric</strong> technologies are poised to form<br />
the foundation of an array of highly secure, fast, accurate,<br />
and user-friendly identification and personal verification<br />
solutions.<br />
Privacy concerns are more pronounced when it comes<br />
to implementing biometric-based systems in private,<br />
consumer-facing applications. <strong>Biometric</strong> data, a mathematical<br />
representation of the anatomical feature, is separate<br />
and distinct from personal and private information<br />
whose loss is at the heart of privacy concerns. Although<br />
biometric data have been resistant to reverse engineering,<br />
both data sets need to be secured to allay these concerns.<br />
Because of these inherent attributes, biometrics<br />
are an effective means to further secure privacy and<br />
deter identity theft, but their application must be carefully<br />
designed to achieve that objective. For example,<br />
biometrics can be used for computer and network access<br />
control purposes, thereby restricting unauthorized<br />
personnel from gaining access to sensitive business and<br />
personal information. With the improvement in technology<br />
and decrease in prices, the use of biometrics should<br />
expand at an ever-increasing rate.<br />
Version 2 – Summer 2008
Section 1 6 Introduction<br />
<strong>Biometric</strong>s for Identity Management<br />
What is identity management? Identity management<br />
is defined as “the registration, storage, protection,<br />
issuance, and assurance of a user’s personal identifier(s)<br />
and privilege(s) in an electronic environment in a secure,<br />
efficient, and cost-effective manner.” 4<br />
Identity management is an increasing concern across the<br />
public and private sectors. In the private sector it is most<br />
frequently thought of in the context of identity theft. According<br />
to FDIC figures, 10 million Americans suffered<br />
identity theft in 2003 with a cost to business in excess<br />
of US$50 billion and a personal impact that is difficult to<br />
estimate. As staggering as this sum is, identity theft is at<br />
the heart of significantly broader economic vulnerabilities<br />
and national security concerns. Using biometrics to<br />
develop identity theft countermeasures has direct impact<br />
on civil infrastructure protection.<br />
Authentication and identification of people are critical to<br />
eliminating threats to national security and public safety,<br />
and securing business transactions. As technology<br />
advances and public policy debates continue over the<br />
pros and cons of national identity programs, the identity<br />
management industry continues to grow and change.<br />
Specific to biometric technologies, increased attention<br />
to homeland security, for example, has spurred significant<br />
growth.<br />
Organizations, whether public or private, large or small,<br />
4 According to Daon. <strong>Biometric</strong> Identity Management in Large-<br />
Scale Enterprises. Used with permission.<br />
Version 2 – Summer 2008
<strong>Biometric</strong> <strong>Technology</strong> <strong>Application</strong> <strong>Manual</strong> Section 1 7<br />
Figure 1-1 A complete identity management system.<br />
are looking to increase the levels of accountability and<br />
security among employees, partners, and customers.<br />
The most effective way to do this is to centralize identity<br />
management functions in a single location—moving<br />
away from identity stovepipes—so it can be effectively<br />
managed and the appropriate level of trust can be maintained<br />
in the authentication process.<br />
<strong>Biometric</strong>s provide one of the most secure and effective<br />
ways to authenticate an individual, whether through the<br />
biometric itself or in conjunction with a PIN, password,<br />
Version 2 – Summer 2008
Section 1 8 Introduction<br />
or other token. Designed properly, biometric identity<br />
management addresses the proper management of biometric<br />
identities, particularly for large-scale enrollment<br />
(database) populations.<br />
<strong>Biometric</strong> system deployment encompasses several functions,<br />
5 including identity registration, storage, assurance,<br />
protection, issuance, life cycle management, and system<br />
management, which all must be taken into account and<br />
integrated for the best results (see preceding graphic).<br />
<strong>Biometric</strong> algorithms (software) have reached the levels<br />
of accuracy required for broad-scale use and the costper-user<br />
has declined significantly in recent years, yielding<br />
a form of authentication that is more cost effective<br />
and secure than traditional means. Organizations looking<br />
to deploy a biometric-based solution should consider<br />
the full spectrum of such use and adopt an integrated<br />
design that enables a multi-factor approach (and multimodal<br />
6 where appropriate), flexible authentication and<br />
authorization policies while maintaining (or enhancing)<br />
individual privacy, and is provided on a scalable, accessible,<br />
and secure infrastructure.<br />
5 According to Daon. <strong>Biometric</strong> Identity Management in Large-<br />
Scale Enterprises. Used with permission.<br />
6 Mulit-modal is the use of multiple biometrics in a single application,<br />
such as the new U.S. passports that will include both<br />
facial and fingerprint biometrics.<br />
Version 2 – Summer 2008
<strong>Biometric</strong> <strong>Technology</strong> <strong>Application</strong> <strong>Manual</strong> Section 1 9<br />
NOTE: The terms “reference” and “template” may be<br />
used interchangeably throughout the BTAM. However,<br />
“template” refers specifically to the code that contains the<br />
characteristic feature or sample; “reference” is a broader<br />
term that describes any data used in the matching process.<br />
Version 2 – Summer 2008
<strong>Biometric</strong> <strong>Technology</strong> <strong>Application</strong> <strong>Manual</strong> Section 2 1<br />
Section 2: Fundamentals of <strong>Biometric</strong>s<br />
The Origin of <strong>Biometric</strong>s 7<br />
The term “biometrics” is derived from the Greek words<br />
bio (life) and metric or metry (to measure). Interestingly,<br />
the term “biometrics” was not used to describe these<br />
technologies until the 1980s. The first reference 8 found<br />
for the term “biometrics” was in a 1981 article in The New<br />
York Times.<br />
Centuries before “automated” biometric technologies<br />
became possible with the advent of computers, algorithm<br />
development, and processing power, there were<br />
several types of non-automated biometric methods used.<br />
The first known reference to non-automated biometrics<br />
was in prehistoric picture writing of a hand with ridge<br />
patterns that was discovered in Nova Scotia. Fingerprint<br />
recognition represents the oldest method of biometric<br />
identification, with its history going back as far as<br />
at least 6000 B.C. The first recorded use of fingerprints<br />
was by the ancient Assyrians, Babylonians, Japanese, and<br />
Chinese for the signing of legal documents. In ancient<br />
Babylon, fingerprints were used on clay tablets for business<br />
transactions. A form of fingerprinting was used<br />
in China, as reported by explorer Joao de Barros. He<br />
wrote that Chinese merchants were stamping children’s<br />
7 <strong>Biometric</strong>s-Now and Then: The Development of <strong>Biometric</strong>s Over the Last<br />
40 Years. James L. Wayman. Used with permission.<br />
8 According to James L. Wayman in <strong>Biometric</strong>s-Now and Then: The Development<br />
of <strong>Biometric</strong>s Over the Last 40 Years. New York Times article:<br />
“<strong>Technology</strong>; Recognizing the Real You” A. Pollack. September 24, 1981.<br />
Used with permission.<br />
Version 2 – Summer 2008
Section 2 2 Fundamentals of <strong>Biometric</strong>s<br />
Figure 2-1 Chart demonstrating<br />
“Bertillonage” measurements.<br />
9<br />
palmprints and footprints on paper<br />
with ink to distinguish the children<br />
from each other.<br />
The first modern study of fingerprints<br />
was done by Johannes Evangelista<br />
Purkinje, a Czech physiologist<br />
and professor of anatomy at<br />
the University of Breslau. In 1823,<br />
he proposed a system of fingerprint<br />
classification.<br />
The English began using palm and<br />
fingerprints in India in July 1858,<br />
when Sir William Herschel pressed<br />
handprints on the backs of contracts.<br />
Herschel moved from palmprints<br />
to prints of the right index<br />
and middle fingers.<br />
In the 1890s, an anthropologist and police desk clerk in<br />
Paris, France, named Alphonse Bertillon sought to fix the<br />
problem of identifying repeat offenders who often gave<br />
aliases each time they were arrested. Bertillon realized<br />
that certain elements of the body remained stable and<br />
unchanging, such as the size of the skull or the length<br />
of the fingers. He developed a method of multiple body<br />
measurements that was named after him and called<br />
Bertillonage. His system was used by police around the<br />
world but quickly faded when it was discovered that<br />
some people shared the same measurements in certain<br />
parts of their bodies.<br />
9 Source unknown.<br />
Version 2 – Summer 2008
<strong>Biometric</strong> <strong>Technology</strong> <strong>Application</strong> <strong>Manual</strong> Section 2 3<br />
In the late 19th century, Sir Francis Galton wrote a detailed<br />
study of fingerprints in which he presented a new<br />
classification system using prints of all 10 fingers. According<br />
to Galton’s calculations, the odds of two individual<br />
fingerprints being the same were 1 in 64 billion.<br />
Galton identified the characteristics by which fingerprints<br />
can be identified (minutia), which are basically<br />
the same ones still in use today. This classification of<br />
minutia is often referred to as Galton’s Details.<br />
Also, during the 1890s, the police in Bengal, India, under<br />
the British police officer Sir Edward Richard Henry, began<br />
using fingerprints to identify criminals. As assistant commissioner<br />
of metropolitan police, Henry established the<br />
first British fingerprint files in London in 1901. The Henry<br />
Classification System is used today in all English speaking<br />
countries.<br />
In 1903, the New York State Prison System began the first<br />
systematic use of fingerprints in the United States for<br />
criminals.<br />
In 1904, the use of fingerprints began in Leavenworth<br />
Federal Penitentiary in Kansas and at the St. Louis [Missouri]<br />
Police Department.<br />
In 1905, the U.S. Army began using fingerprints. Two<br />
years later, the U.S. Navy began using fingerprints and<br />
was joined the following year by the Marine Corps. During<br />
the next 25 years, increasing numbers of law enforcement<br />
agencies joined in the use of fingerprints as a<br />
means of personal identification.<br />
Some of the earliest work on machine recognition of faces<br />
can be traced back to the 1960s at a company called<br />
Panoramic Research in Palo Alto, California. This type of<br />
Version 2 – Summer 2008
Section 2 4 Fundamentals of <strong>Biometric</strong>s<br />
research, later referred to as artificial intelligence, was<br />
conducted by Woody Bledsoe, a pioneer in the field of<br />
automated reasoning. The technique he developed was<br />
called “man-machine facial recognition” and used a process<br />
known as feature extraction.<br />
Nineteen seventy-four was a breakthrough year for<br />
automated biometrics, as the University of Georgia<br />
began using hand geometry in its dormitory food service<br />
areas. Both the Stanford Research Institute in the United<br />
States and the National Physical Laboratory in the United<br />
Kingdom had begun working on signature recognition<br />
systems.<br />
In 1985, one of the first retinal scanning systems was<br />
deployed for securing access to a Defense Department<br />
facility at the Naval Postgraduate School.<br />
In the mid-1980s, the State of California began collecting<br />
fingerprints as a requirement for all driver license applications.<br />
The first biometric industry organization, the International<br />
<strong>Biometric</strong>s Association (IBA), was founded in<br />
1986–1987.<br />
Iris recognition technology was developed in the 1980s<br />
by Dr. John Daugman at the University of Cambridge.<br />
Other new technologies produced during this time included<br />
facial thermography and the first commercially<br />
available facial recognition systems.<br />
In 1998, the International <strong>Biometric</strong> Industry Association<br />
(IBIA) was founded in Washington, DC, as a non-profit industry<br />
trade association to advance the collective international<br />
interests of the biometric industry. The National<br />
Version 2 – Summer 2008
<strong>Biometric</strong> <strong>Technology</strong> <strong>Application</strong> <strong>Manual</strong> Section 2 5<br />
<strong>Biometric</strong> Security Project (NBSP) was founded in 2001<br />
to respond to the events of September 11, 2001, and the<br />
need for accelerated development and deployment of<br />
biometrics technologies.<br />
How <strong>Biometric</strong> Technologies Work—<br />
In General<br />
At their most basic level, biometric technologies are<br />
pattern recognition systems that use either image-<br />
acquisition devices, such as scanners or cameras in the<br />
case of fingerprint or iris recognition technologies, or<br />
sound or movement acquisition devices, such as microphones<br />
or platens in the case of voice recognition or signature<br />
recognition technologies, to collect the biometric<br />
patterns or characteristics. The characteristics of the ac-<br />
Figure 2-2 Generic <strong>Biometric</strong> Process<br />
Version 2 – Summer 2008
Section 2 6 Fundamentals of <strong>Biometric</strong>s<br />
Figure 2-3 Diagram of a “generic” biometric-based system. 10<br />
quired samples considered the most distinctive between<br />
users and the most stable for each user are extracted and<br />
encoded into a biometric reference or template that is<br />
a mathematical representation of a person’s biometric<br />
feature. These templates are stored in a database or on<br />
a smart card or other token and used for comparison<br />
when recognition is warranted. <strong>Biometric</strong> systems are<br />
automated by hardware and software, allowing for fast,<br />
real-time decision making in identification situations.<br />
Different biometric technologies offer varying features<br />
and benefits, which should be analyzed based on how<br />
and why they will be used. They all vary in performance,<br />
capabilities, infrastructure requirements, and cost, and<br />
all have their unique limitations and operating methodologies.<br />
10 Provided courtesy of SAFLink Corporation. Used with per-<br />
mission.<br />
Version 2 – Summer 2008
<strong>Biometric</strong> <strong>Technology</strong> <strong>Application</strong> <strong>Manual</strong> Section 2 7<br />
While individual biometric devices and systems each<br />
have their own operating methodology, there are some<br />
generalizations that can be made as to what typically<br />
happens within a biometric system implementation.<br />
Before an individual’s identity can be verified via a biometric,<br />
a biometric template or model must first be created.<br />
This template serves as the template data against<br />
which subsequent samples/templates provided at time<br />
of verification are compared. For some technologies, a<br />
number of templates or images are typically captured<br />
during enrollment in order to create a truly representative<br />
template via an averaging or best image candidate<br />
selection process. The template is then referenced<br />
against an identifier (typically a PIN or passcode if used in<br />
conjunction with existing access control tokens) in order<br />
to recall it for comparison with a live sample at the transaction<br />
or entry point.<br />
The positive ID verification/identification of the subject<br />
during the enrollment procedure and quality of the resultant<br />
template or reference are critical factors in the overall<br />
success of a biometric application. The former refers<br />
to the corroborating identity documents (commonly referred<br />
to as “breeder documents”) the user brings to the<br />
initial enrollment process. These documents, or other<br />
sources of validation, must undergo the highest scrutiny,<br />
lest the biometric be associated with a false identity.<br />
A poor quality template or reference can cause considerable<br />
problems for the user, often resulting in re-enrollment.<br />
Template storage is an area of considerable and<br />
growing concern, particularly with large-scale applications<br />
that may accommodate hundreds-of-thousands of<br />
individuals. The resources to assure the security, quality,<br />
Version 2 – Summer 2008
Section 2 8 Fundamentals of <strong>Biometric</strong>s<br />
maintenance, and management of the data can be formidable<br />
and the liability, should the security of the templates<br />
be breached, considerable.<br />
Possible template storage options include:<br />
1.<br />
2.<br />
3.<br />
Store the template within the biometric reader device<br />
or PC.<br />
Store the template remotely in a central repository.<br />
Store the template on a portable token or media,<br />
such as a smart card.<br />
Option 1: Storing the template within the biometric reader<br />
device or PC has both advantages and disadvantages,<br />
depending on exactly how it is implemented. The advantage<br />
is potentially fast operation as a relatively small<br />
number of templates may be stored and manipulated efficiently<br />
within the device or PC. In addition, there is no<br />
reliance on an external process or data link to access to<br />
the template. In the event of device failure, an alternative<br />
device or access point may be substituted as a temporary<br />
measure. In some cases where devices may be<br />
networked together directly, it is possible to share templates<br />
across the network.<br />
The potential disadvantage is that templates may be<br />
somewhat vulnerable and dependent upon the device<br />
being both present and functioning correctly. If anything<br />
happens to the device, the template database may<br />
need to be re-installed or the user re-enrolled. For templates<br />
stored on a hard drive of a personal computer,<br />
damage to the disk drive or corrupted data may require<br />
re-enrollment of the user.<br />
Version 2 – Summer 2008
<strong>Biometric</strong> <strong>Technology</strong> <strong>Application</strong> <strong>Manual</strong> Section 2 9<br />
Option 2: Storing the template in a central repository is<br />
the option that will most likely occur to IT systems administrators.<br />
This may work well in a secure networked<br />
environment where there is sufficient operational speed<br />
for template retrieval to be invisible to the user. Use of<br />
a central data repository also allows more effective use<br />
through network-wide enrollment and disenrollment.<br />
While very large central databases raise other concerns<br />
discussed elsewhere in this manual, they might be the<br />
only efficient way to manage a large identity management<br />
system. Care should be taken in system design to<br />
ensure the templates are protected when in transit over<br />
the network through encryption.<br />
Potential disadvantages could be that with a large number<br />
of readers working simultaneously, there could be<br />
significant data traffic, especially if users are impatient<br />
and submit multiple verification/identification attempts.<br />
The size of the biometric template itself will have some<br />
impact on this issue, with popular methodologies varying<br />
between nine bytes and 6Kb. Another aspect to consider<br />
is if the network fails, when the system effectively stops<br />
unless there is reliable network backup or some type of<br />
additional local/remote storage. This may be possible to<br />
implement with some devices using the internal storage<br />
on a device or PC for recent cached or localized users and<br />
instructing the system to search the central repository if<br />
the template cannot be found locally.<br />
Option 3: Storing the template on a token is an attractive<br />
option for two reasons. First, it requires no local or central<br />
storage of templates and, second, the user carries his/<br />
her template with him/her and can use it at any authorized<br />
reader device. The template could be stored in the<br />
memory of the card or token device or even printed on a<br />
card or document in barcode format.<br />
Version 2 – Summer 2008
Section 2 10 Fundamentals of <strong>Biometric</strong>s<br />
Potential disadvantages include the potential loss or<br />
damage of the token and the resulting need to re-enroll<br />
the user. Additionally, if the user is attracted to the system<br />
because he/she believes or was advised that he has<br />
effective control and ownership of his own template,<br />
there may be objections to also storing the templates<br />
elsewhere in the system. Another potential disadvantage<br />
may be unit cost and system complexity if chip<br />
card/smart card readers and biometric readers need to<br />
be combined at each enrollment and verification station.<br />
Finally, if the chip’s operating system and data are successfully<br />
hacked, this option could be vulnerable from a<br />
security standpoint.<br />
Overview of <strong>Application</strong>s<br />
Each biometric technology has its set of strengths and<br />
weaknesses, depending upon its application. It is therefore<br />
imperative that there is a clear understanding of the<br />
final application(s) and their operational requirements<br />
before any purchase and implementation decisions are<br />
made. Although the use of each biometric is clearly different,<br />
some striking similarities can emerge when considering<br />
various applications. Most biometric applications<br />
can be divided into the following categories: 11<br />
• Overt or covert systems—Will<br />
the user proactively<br />
and knowingly be identified by the system or will it<br />
be designed to covertly scan the secured area? Either<br />
way, a person must have a biometric template<br />
on file for him/her to be recognized.<br />
11 Adapted from Fundamentals of <strong>Biometric</strong> Authentication Technologies.<br />
James L. Wayman National <strong>Biometric</strong> Test Center. Used with permission.<br />
Version 2 – Summer 2008
<strong>Biometric</strong> <strong>Technology</strong> <strong>Application</strong> <strong>Manual</strong> Section 2 11<br />
• Voluntary or involuntary systems—Will<br />
system users<br />
be required to participate in the system to receive access<br />
or benefits, or are there opt-out or work-around<br />
options?<br />
• Attended or non-attended systems—Will<br />
the system be<br />
designed for people to use in a remote location, without<br />
assistance? Or will users always have technical<br />
assistance and/or attendants available? Involuntary<br />
and/or covert systems usually require supervision or<br />
attendance to monitor system use. Voluntary and/or<br />
overt systems may be “unattended.”<br />
• Standard or non-standard operating environments—<br />
How much customization will be required for the<br />
readers to operate appropriately and the network to<br />
communicate and function properly? Will the system<br />
be used outdoors or indoors? Outdoors environments<br />
typically fall into “non-standard” operating<br />
environments.<br />
• Public or private systems—Is<br />
the use of the biometric<br />
system for a public program or access to a public<br />
facility, or for access to a private company or information?<br />
Cooperation with the biometric system can<br />
often be directly attributed to whether a system is<br />
public or private (i.e., employees).<br />
• Physical security and access control—Are<br />
users trying<br />
to gain access to a facility or area?<br />
Cyber and computer/network security<br />
• —Are users trying<br />
to gain access to a computer or protected information<br />
on a computer or the Internet?<br />
Version 2 – Summer 2008
Section 2 12 Fundamentals of <strong>Biometric</strong>s<br />
• Identification—Is<br />
the biometric being used for identification<br />
purposes for access to benefits, information,<br />
border crossing, licensing, etc.?<br />
<strong>Biometric</strong> applications can operate in either of two<br />
modes—verification or identification. Verification is the<br />
process of comparing a presented biometric template<br />
with stored biometric reference(s) that are associated<br />
only with that specific user. Verification applications are<br />
often referred to as one-to-one matching (or 1:1). During<br />
the verification process, a user will typically enter<br />
their name, unique ID number or present a token or ID<br />
card. This becomes their “claim” of identity. Then the user<br />
must authenticate or verify against their claim of identity<br />
by presenting their biometric sample and having the resulting<br />
template matched against the reference(s) associated<br />
with that user’s enrollment record. In verification<br />
applications, the user is attempting to prove that they<br />
are the person that they claim to be. Verification is commonly<br />
used in access control applications where a person<br />
has already been granted privileges or access rights<br />
and the system needs to verify that the person seeking<br />
access under that name or identity is, in fact, that person.<br />
In identification applications, the system is attempting to<br />
determine if the person is known to the system (with or<br />
without a claimed identity) by comparing the presented<br />
biometric sample and resultant template with all known<br />
references in the database. Identification is also referred<br />
to as one-to-many matching (or 1:N). Identification applications<br />
are typically used for law enforcement investigations<br />
or to screen applicants for entitlement benefits<br />
to make sure that the person is not already enrolled in<br />
the system and receiving benefits under another name<br />
Version 2 – Summer 2008
<strong>Biometric</strong> <strong>Technology</strong> <strong>Application</strong> <strong>Manual</strong> Section 2 13<br />
or identity. Identification is often performed during or<br />
immediately following the initial enrollment of the person<br />
and may not provide an immediate result depending<br />
on the matching speed of the technology and the number<br />
of records being matched.<br />
Errors and Error Rates<br />
No biometric system can recognize a person absolutely.<br />
While it appears to give a simple yes or no answer, it<br />
is, in fact, measuring how similar the current biometric<br />
data is to the record stored in the database and makes a<br />
decision according to the probability that the biometric<br />
sample comes from the same person that provided the<br />
stored biometric template. While there are several types<br />
of errors that occur in biometric systems, there are two<br />
major classes of errors that relate to the system’s accuracy;<br />
comparison errors and decision errors.<br />
The errors discussed below have error “rates” associated<br />
with them. Thus, a False Match has a False Match Rate<br />
(FMR) associated with it, a False Non-Match a False Non-<br />
Match Rate (FNMR) and so on. These rates are established<br />
by extensive testing, and are nothing more than<br />
how often these errors have been shown to occur during<br />
testing. Expressed mathematically, a rate is the expected<br />
probability that this error will occur in this biometric system.<br />
These rates provide quantifiable metrics that allow<br />
one to compare the effectiveness of various technologies<br />
and the various products therein.<br />
Comparison errors are erroneous matches or nonmatches<br />
that could be considered “machine functions,”<br />
or more semantically correct, machine malfunctions.<br />
Version 2 – Summer 2008
Section 2 14 Fundamentals of <strong>Biometric</strong>s<br />
A false match is an erroneous conclusion by the biometric<br />
system that a template stored in its database is from the<br />
same person that has just presented a biometric sample,<br />
when in fact, it is not.<br />
A false non-match is an erroneous conclusion by the biometric<br />
system that a template stored in its database is<br />
not from the same person that has just presented a biometric<br />
sample, when in fact, it is.<br />
Decision errors are erroneous conclusions arising from<br />
comparison errors. The definitions of decision errors depend<br />
upon the application (the premise by which a subject<br />
uses the system).<br />
A false accept in an application such as access control,<br />
where the subject makes a “positive” claim of enrollment<br />
(“I am enrolled as Pat”) is an erroneous conclusion by the<br />
biometric system that a template stored in its database<br />
is from the same person that has just presented a biometric<br />
sample, when in fact, it is not. A false accept rate<br />
(FAR), is the expected probability that this will occur in<br />
this particular biometric system, in this application. In<br />
a positive identification application, false accept is the<br />
same as false match.<br />
A false reject in a positive identification application such<br />
as access control is an erroneous conclusion by the biometric<br />
system that a template stored in its database is<br />
not from the same person that has just presented a biometric<br />
sample, when in fact, it is. A false reject rate (FRR),<br />
is the expected probability that this will occur in this particular<br />
biometric system, in this application. In a positive<br />
identification application, false reject is the same as false<br />
non-match.<br />
Version 2 – Summer 2008
<strong>Biometric</strong> <strong>Technology</strong> <strong>Application</strong> <strong>Manual</strong> Section 2 15<br />
A false accept in a negative identification application<br />
where a “negative” claim of enrollment (such as watch<br />
lists, or benefits entitlements, where a person claims “I<br />
am not enrolled in the system”) is an erroneous conclusion<br />
by the biometric system that no template stored in<br />
its database is from the same person that has just presented<br />
a biometric sample, when in fact, one is. A false<br />
accept rate (FAR) is the expected probability that this will<br />
occur in this particular biometric system, in this application.<br />
In a Negative identification application, false accept<br />
is the same as a false non-match, although the rates may<br />
be different depending upon the number of comparison<br />
attempts made in reaching the “accept” decision.<br />
A false reject in a negative identification application<br />
(such as watch lists, or benefits entitlements) is an erroneous<br />
conclusion by the biometric system that a template<br />
stored in its database is from the same person<br />
that has just presented a biometric sample, when in<br />
fact, it is not. A false reject rate (FRR), is the expected<br />
probability that this will occur in this particular biometric<br />
system, in this application. In a negative identification<br />
application, false reject is the same as false match,<br />
although their rates may be different depending upon<br />
the number of comparisons required to make a “reject”<br />
decision.<br />
This somewhat confusing distinction is the result of<br />
new, non-traditional applications that have been developed<br />
for biometric systems. Historically, FAR and FRR<br />
have been used synonymously with FMR and FNMR<br />
respectively. However, with the emergence of negative<br />
identification systems, usually 1:N identification systems,<br />
they are no longer synonymous.<br />
Version 2 – Summer 2008
Section 2 16 Fundamentals of <strong>Biometric</strong>s<br />
In traditional access control applications (positive ID systems),<br />
the premise of the user was always “I am in the system<br />
and entitled to enter.” A false acceptance occurred<br />
when the subject was an impostor and not entitled to<br />
entry, but as the result of a false match, he was allowed<br />
entry. Likewise, subjects who were legitimately enrolled<br />
in the systems became victims of a false rejection when<br />
there was a false non-match.<br />
In today’s negative identification systems such as watch<br />
lists, correctional facilities, and detection of double dippers<br />
in benefits entitlement programs, the premise of<br />
the user is “I’m not in the system and never have been.”<br />
In these applications, a false accept occurs when the system<br />
commits a false non-match error, and a false reject<br />
occurs when the system commits a false match error.<br />
Failure to Acquire<br />
Further adding to the confusion of terms is the condition<br />
of “failure to acquire,” which may be construed as a<br />
false reject. This condition may occur when the reader<br />
or imager fails to capture an image of sufficient quality<br />
to produce a usable template. If the device or system is<br />
not capable (and most are not) of detecting the difference<br />
or reason for the rejection (no match or poor quality),<br />
the conclusion may be incorrect.<br />
Further into the manual, an attempt will be made to sort<br />
out a more useful way to consider these terms and rates,<br />
particularly in assessing test results.<br />
Version 2 – Summer 2008
<strong>Biometric</strong> <strong>Technology</strong> <strong>Application</strong> <strong>Manual</strong> Section 2 17<br />
Personal <strong>Biometric</strong> Criteria<br />
Any human biological or behavioral characteristics can<br />
become a biometric identifier, provided the following<br />
properties 12 are met:<br />
• Universality:<br />
Every person should have the characteristic.<br />
There are always exceptions to this rule:<br />
mute people, people without fingers, or those with<br />
injured eyes. These exceptions must be taken into account<br />
through “work-arounds” such as conventional<br />
non-biometric authentication processes. Most biometric<br />
devices have a secure override if a physical<br />
property is not available, such as a finger, hand, or<br />
eye. In these cases, the person is assigned a special<br />
access device, such as a password, PIN, or secure token.<br />
This special access code or token is entered into<br />
the biometric device to allow access.<br />
• Distinctiveness:<br />
No two people should have identical<br />
biometric characteristics. Monozygotic13 twins, for<br />
example, cannot be easily distinguished by face recognition<br />
and DNA-analysis systems, although they<br />
can be distinguished by fingerprints or iris patterns.<br />
• Permanence:<br />
The characteristics should not vary or<br />
change with time. A person’s face changes significantly<br />
with aging and a person’s signature and its<br />
dynamics may change as well, sometimes requiring<br />
periodic re-enrollment. The degree of permanence<br />
12 Adapted from An Introduction to <strong>Biometric</strong> Recognition. Jain, Ross,<br />
and Prabhakar. IEEE Transactions on Circuits and Systems for Video<br />
<strong>Technology</strong>. ® January 2004 IEEE. Used with permission.<br />
13 A type of twins derived from a single (mono) egg (zygote).<br />
Version 2 – Summer 2008
Section 2 18 Fundamentals of <strong>Biometric</strong>s<br />
of the biometric feature has a major impact on system<br />
design.<br />
• Collectability:<br />
Obtaining and measuring the biometric<br />
feature(s) should be easy, non-intrusive, reliable,<br />
and robust, as well as cost effective for the application.<br />
<strong>Biometric</strong> System-Level Criteria<br />
The preceding personal biometric criteria may be used<br />
for evaluating the general viability of the chosen biometric<br />
identifier. Once incorporated into a system design,<br />
the following criteria 14 are key to assessing a given<br />
biometric system for a specific application:<br />
• Performance refers to the accuracy, resources, and<br />
environmental conditions required to achieve the<br />
desired results.<br />
• Circumvention refers to how difficult it is to fool the<br />
system by fraudulent means. An automated access<br />
control system that can be easily fooled with a fingerprint<br />
prosthetic or a photograph of a user’s face<br />
does not provide much security—particularly in an<br />
unattended environment.<br />
• Acceptability indicates to what extent people are willing<br />
to accept the biometric system. Face recognition<br />
systems are personally not intrusive, but there are<br />
countries where taking photos or images of people<br />
14 An Introduction to <strong>Biometric</strong> Recognition. Jain, Ross, and Prabhakar.<br />
IEEE Transactions on Circuits and Systems for Video <strong>Technology</strong>. ® January<br />
2004 IEEE. Used with permission.<br />
Version 2 – Summer 2008
<strong>Biometric</strong> <strong>Technology</strong> <strong>Application</strong> <strong>Manual</strong> Section 2 19<br />
are not viable. Systems that are uncomfortable to the<br />
user, appear threatening, require contact that raises<br />
hygenic issues, or are basically non-intuitive in practical<br />
use will probably not find wide acceptance.<br />
Key Elements of <strong>Biometric</strong> Systems 15<br />
There are four universal elements to all biometric systems:<br />
1.<br />
2.<br />
3.<br />
4.<br />
Enrollment<br />
<strong>Biometric</strong> Template (or Reference)<br />
Comparison and Comparison Errors<br />
Networking<br />
Typically, biometric systems or devices have three primary<br />
components:<br />
1.<br />
2.<br />
3.<br />
Automated mechanism that scans or photographs<br />
(video or still) and captures a digital or analog image<br />
of a living biometric characteristic.<br />
Another mechanism that handles compression, storage,<br />
processing, and comparison of the captured data<br />
with the stored data (enrollment template).<br />
Interface with the application system.<br />
15 Adapted from <strong>Biometric</strong>s: A Technical Primer. Elaine Newton and John<br />
Woodward. Army <strong>Biometric</strong> <strong>Application</strong>s: Identifying and Addressing Sociocultural<br />
Concerns. 2001. www.rand.org Santa Monica, CA: RAND<br />
Corporation. Used with permission.<br />
Version 2 – Summer 2008
Section 2 20 Fundamentals of <strong>Biometric</strong>s<br />
Key issues and considerations surrounding the four universal<br />
elements of all biometric-based systems can be<br />
described as follows.<br />
1. Enrollment<br />
Proper enrollment instruction and training are essential<br />
to good biometric system performance. Enrollment<br />
is the first stage for biometric system set-up because it<br />
generates the template that will be used for all subsequent<br />
comparison and user recognition. In enrollment, a<br />
biometric system is “trained” to recognize a specific person.<br />
Typically, the reader takes multiple samples of the<br />
same biometric that is presented by the user/enrollee<br />
and averages them or selects the best quality sample to<br />
produce an enrollment reference or template.<br />
Not all biometric systems require the linkage of users<br />
to “real world” identities. In fact, a number of companies<br />
have actively promoted the use of “anonymous”<br />
biometrics, linking users only to the biometric template,<br />
without any record of “real” name or other identifier. In<br />
most applications, however, there is a need to link users<br />
to their legal identities for the purposes of accountability<br />
and certification of external authorizations. In these<br />
cases, the user/enrollee first provides his/her identification<br />
document, such as a government-issued ID card,<br />
passport, or driver license. Since the biometric template<br />
is linked in many biometric systems to the identity specified<br />
on the identification document, this identification<br />
must be thoroughly authenticated (refer to the discussion<br />
of “breeder documents” that follows). He/she then<br />
presents his/her biometric (i.e., fingerprint, voice pattern,<br />
iris pattern, signature, etc.) to the biometric reader. The<br />
features of the presented biometric are read, calculated,<br />
Version 2 – Summer 2008
<strong>Biometric</strong> <strong>Technology</strong> <strong>Application</strong> <strong>Manual</strong> Section 2 21<br />
coded, and stored as the enrollment template for future<br />
comparisons.<br />
<strong>Biometric</strong> template size varies, depending on the vendor<br />
and the type of biometric technology. (See Comparison<br />
of <strong>Biometric</strong> Technologies – Matrix I in Section 3 for template<br />
sizes of various technologies.) Templates can either<br />
be stored in a central database, or within a biometric<br />
reader, or on smart cards or other tokens.<br />
For some biometric technologies, changes in the user’s<br />
position or variations in the lighting surrounding the<br />
reader, for example, can affect template generation. Ideally,<br />
when the biometric system is deployed, enrollments<br />
and daily usage will be done in the same environment,<br />
using the same equipment. For example, if voice verification<br />
is used in an environment where there is background<br />
noise, both the enrollment voice template and<br />
live voice templates [presented for recognition] should<br />
be captured in the same environment. It is important to<br />
remember that the quality of the initial enrollment template<br />
and the absolute validity of the initial ID document<br />
that is used to “verify” a person’s identity prior to biometric<br />
enrollment are critical to the overall success of the biometric-based<br />
system that requires linking of users to “real<br />
world” identities and authorizations.<br />
Pre-Enrollment Identity Validation<br />
Not unlike the old cliché regarding computers, “garbage-<br />
in-garbage out,” the legitimacy of the identity attached<br />
to a new biometric template at the time of enrollment<br />
in the system may be a significant weakness in the entire<br />
process. If the basis of the individuals claim to an<br />
identity presented at enrollment is not valid, we are ef-<br />
Version 2 – Summer 2008
Section 2 22 Fundamentals of <strong>Biometric</strong>s<br />
fectively granting the individual a new identity initiated<br />
with the enrollment event. To minimize the potential for<br />
fraudulent enrollment, a pre-enrollment validation, or<br />
identity “proofing,” process that relies on identity source<br />
documents (or “breeder documents”), validated templates,<br />
personal history data mining, and background<br />
investigations, can, in various combinations, be very<br />
helpful. This process may be costly and time-consuming.<br />
To the degree it can be automated without sacrificing<br />
integrity, it should be considered a critical part of the<br />
biometric deployment plan. It should be emphasized,<br />
however, that not all biometric systems require any<br />
linkage to “real” identities and that such linkage should<br />
not be made unless required. Some of the largest biometric<br />
systems now in use, such as that for access control<br />
at Walt Disney World in Orlando, Florida, require<br />
no linkage to “real” identity and consequently no pre-<br />
enrollment identity validation.<br />
Breeder Documents (Identity Source Documents)<br />
Documents that are useful in providing some basis for<br />
claims to identity for biometric enrollment are sometimes<br />
referred to as identity source documents (also “breeder”<br />
or “foundation” documents) and include; passports; birth<br />
certificates; driver licenses; social security cards; government<br />
or private sector organizational identity cards; program<br />
eligibility identity cards; etc. Documents that contain<br />
both a photograph and personal identity data are<br />
more useful, as are documents that can be used to access<br />
a database for source authentication (for example, a<br />
state database of vital statistics or drivers license). Documents<br />
that are designed to deter counterfeiting are also<br />
preferable to those that can be more easily duplicated.<br />
In some societies, the availability or use of “breeder” doc-<br />
Version 2 – Summer 2008
<strong>Biometric</strong> <strong>Technology</strong> <strong>Application</strong> <strong>Manual</strong> Section 2 23<br />
uments is limited, or a more recent enterprise.<br />
Data Mining, References, and Background<br />
Investigations<br />
While general Internet searches to access information related<br />
to individuals raises the specter of privacy invasion,<br />
a focused and limited use to validate an identity claim for<br />
biometric enrollment can be useful and non-invasive. An<br />
individual seeking enrollment should be advised that a<br />
reasonable attempt to verify data they provide to support<br />
their identity claim may be made by various means,<br />
including search of data on the Internet. Direct contact<br />
with references and inquiries to validate historical and biographical<br />
information supplied by the candidate for enrollment<br />
should all be included in the basis for “informed<br />
consent” requested of the individual. Careful consideration<br />
must be given, however, to whether linkage of the<br />
records in the biometric system to external “legal” records<br />
is really required and, if so, to what purpose and extent.<br />
All of the common methods briefly described herein to<br />
validate identity prior to enrollment are, of course, more<br />
practical in societies and national entities where documentation<br />
of individual identity and maintenance of statistics<br />
from birth and throughout life are available. Where<br />
this is not the case, the requirement is considerably more<br />
difficult. Any reasonable means that do exist (for instance,<br />
religious, educational, or health records) should be used<br />
as alternatives to routine identification documents. In<br />
such cases, a more detailed background file on initial enrollment<br />
should also be constructed to document the<br />
limited nature of pre-enrollment validation while beginning<br />
the process of establishing a strong identity record<br />
for the future.<br />
Version 2 – Summer 2008
Section 2 24 Fundamentals of <strong>Biometric</strong>s<br />
While the extent to which this process is developed and<br />
pursued should, at least partially, be matched to the level<br />
of importance, eligibility, or access that will be gained by<br />
enrollment, administrators and managers should consider<br />
the broader implications of biometric enrollment<br />
that also justify such procedures.<br />
At least a part of the terminology “breeder” document reflects<br />
the tendency to accept a past assignment of identity<br />
as the basis for validating a new claim. This is as true<br />
for prior biometric enrollments as it is for identification<br />
documents. Therefore, enrollment in a biometric system<br />
with little or no pre-validation actions could be the beginning<br />
(or breeding) of a repetitive process for establishing<br />
new, but false, identities. Some might argue that<br />
the ability of certain biometric technologies to generally<br />
operate in the 1:N (one to many) technique will mitigate<br />
against this threat because the “new” identity gained by<br />
the imposter will be attached to them forever. While aspects<br />
of this argument are valid, it is still true that most<br />
biometrics function in the verification (one to one) mode<br />
and we can expect that to be true for the foreseeable future.<br />
There should also be no concession to a free pass<br />
on a fraudulent attempt to change identity, even if it will<br />
only happen once.<br />
A complete biometric system or sub-system should include<br />
a justification for the need to link to external identities,<br />
and if that justification proves adequate, incorporate<br />
a process or procedure for pre-validation of claimed<br />
identity before the candidate for enrollment is accepted.<br />
Version 2 – Summer 2008
<strong>Biometric</strong> <strong>Technology</strong> <strong>Application</strong> <strong>Manual</strong> Section 2 25<br />
2. <strong>Biometric</strong> Reference (or Template)<br />
The data that is captured during enrollment is stored in<br />
the biometric system as a template or reference. The biometric<br />
system software will use a proprietary algorithm<br />
to extract features that are appropriate to that biometric<br />
as presented by the user, or enrollee. It is important to<br />
note that biometric templates are only a record of distinguishing<br />
features of a person’s biometric characteristic<br />
or trait. Templates are usually not actual images of<br />
the fingerprint, iris, or hand, etc. <strong>Biometric</strong> templates are<br />
generally only numerical (mathematical or algorithmic)<br />
representations of key data points (or minutia) read in a<br />
person’s biometric feature.<br />
Typically, templates are relatively small in<br />
terms of data-storage size 16 when compared<br />
with the original image or source pattern<br />
data and, therefore, allow for more efficient<br />
storage and quick processing. Each must be<br />
stored, whether in a central database or on a<br />
smart card or other token, so when the user attempts<br />
to access the system, the characteristics<br />
derived from the live biometric can be directly<br />
compared to the enrolled template. <strong>Biometric</strong><br />
experts claim that it is virtually impossible to<br />
reverse-engineer or recreate exactly a person’s<br />
original biometric image, such as a fingerprint<br />
16 In terms of the amount of computer memory needed to store and<br />
process the reference.<br />
17 Graphic from Fingerprint Matching Using Minutiae and texture<br />
Features. Proceedings of the International Conference on Image<br />
Processing (ICIP), Greece. Anil Jain, Arun Ross, Salil Prabhakar. October<br />
2001.<br />
Version 2 – Summer 2008<br />
Figure 2-4 Minutia-basedfingerprint<br />
image<br />
with detected<br />
minutia points<br />
marked. 17
Section 2 26 Fundamentals of <strong>Biometric</strong>s<br />
or iris image, from a biometric template, although it is<br />
quite possible in some types of biometrics to reverse-engineer<br />
an artificial image capable of generating the same<br />
template.<br />
3. Comparison and Comparison Errors<br />
Comparison is the act of comparing one (or more) acquired<br />
biometric sample to one (or more) stored biometric<br />
templates to determine whether they “match,” that is,<br />
come from the same source. In essence, there are three<br />
ways a mistake can be made:<br />
1.<br />
2.<br />
3.<br />
Failure to enroll and failure to acquire<br />
False acceptance (FAR)<br />
False rejection (FRR)<br />
Both failure to enroll and failure to acquire (during the<br />
comparison process) mean the system is unable to “extract”<br />
and distinguish the appropriate features of the<br />
user’s biometric. For example, a small percentage of<br />
the population cannot enroll a fingerprint, either because<br />
their fingerprints are not distinctive enough or<br />
the characteristics have been altered due to age or occupation.<br />
Failure to enroll and/or failure to acquire indicate<br />
this person’s biometric characteristics may not be<br />
of sufficient quality to be used for recognition.<br />
In access control systems, a false acceptance occurs<br />
when a sample is incorrectly matched to a different user’s<br />
template in a database (in the case of an access control<br />
system, an impostor is allowed in the building). A<br />
false rejection occurs when a sample is incorrectly not<br />
Version 2 – Summer 2008
<strong>Biometric</strong> <strong>Technology</strong> <strong>Application</strong> <strong>Manual</strong> Section 2 27<br />
matched to an otherwise correct matching template in<br />
the database (in the case of an access control system, a<br />
legitimate enrollee is falsely rejected).<br />
In most biometric systems, the false acceptance and false<br />
rejection thresholds can be adjusted, depending upon<br />
the level of security required. For example, in a high security<br />
access control application, the system can be adjusted<br />
to err on the side of denying legitimate matches and<br />
not tolerating impostors. Alternatively, a convenience-<br />
focused application could be adjusted to offer little or no<br />
denial of legitimate matches, while allowing some minimal<br />
acceptance of impostors.<br />
No biometric decision is 100 percent perfect in either verification<br />
or identification mode because each time a biometric<br />
is captured the extracted characteristics are likely<br />
to be a little different due to changes in the environment,<br />
lighting, user positioning, etc. Therefore, biometric systems<br />
can be configured to make a match or no-match<br />
decision based on a predefined mathematical measure<br />
of similarity or difference, referred to as a threshold. This<br />
threshold establishes the acceptable degree of similarity<br />
between the presented sample and the template/enrollment<br />
reference.<br />
Upon comparison, a score representing the degree of<br />
similarity (or difference, depending upon the system)<br />
between the sample and template is calculated, and this<br />
score is compared to the threshold to make a match or<br />
no-match decision. For algorithms for which the similarity<br />
between the two is calculated, a score exceeding the<br />
threshold is not considered a match. For algorithms for<br />
which the difference between the two is calculated, a score<br />
below the threshold is considered a match. Depending<br />
on the setting of the threshold in identification systems,<br />
Version 2 – Summer 2008
Section 2 28 Fundamentals of <strong>Biometric</strong>s<br />
Figure 2-5 Example of decision threshold for an iris recognition<br />
system. 18<br />
sometimes several enrollment templates can be considered<br />
matches to the live, presented sample, with better<br />
scores corresponding to better matches.<br />
4. Networking<br />
There are possible variations on a theme with regard to<br />
networks. Some biometric systems/readers have integral<br />
networking functionality, often via RS485 or RS422,<br />
with a proprietary protocol. This may enable networking<br />
a number of readers together with little or no additional<br />
equipment involved, or maybe with a monitoring PC<br />
connected at one end of the network.<br />
18 Source: NBSP files.<br />
Version 2 – Summer 2008
<strong>Biometric</strong> <strong>Technology</strong> <strong>Application</strong> <strong>Manual</strong> Section 2 29<br />
Alternatively, the networking, message passing, and<br />
monitoring system may be designed by the system integrator,<br />
taking advantage of generic biometric <strong>Application</strong><br />
Program Interfaces 19 (APIs) for accessing reader<br />
functions directly. This allows the most flexibility and<br />
control over systems design, provided that the selected<br />
biometric reader and underlying device drivers and control<br />
software support network applications. Still, another<br />
option may be to use the vendor’s network for message<br />
passing and primary interconnection, coupled with custom<br />
software at the monitoring point, which may in turn<br />
interface with other systems.<br />
In some cases, there might be an existing network and<br />
control interface into which the biometric readers could<br />
be integrated via a common security standard. In some<br />
cases, there may be an existing network and control interface<br />
into which the biometric readers may be integrated<br />
via interface standards such as BioAPI (<strong>Biometric</strong> <strong>Application</strong><br />
Programming Interface) and CBEFF (Common<br />
<strong>Biometric</strong> Exchange Formats Framework). In this case<br />
they will appear as just another reader, although separate<br />
template storage and access may need to be provided.<br />
<strong>Biometric</strong> Performance Metrics<br />
<strong>Biometric</strong> Performance Measures—What Do They<br />
Really Mean?<br />
False accepts, false rejects, equal error points and crossover<br />
rates, enrollment and verification times; these are<br />
19 <strong>Application</strong> program interface: a set of routines, protocols, and tools<br />
for building software applications.<br />
Version 2 – Summer 2008
Section 2 30 Fundamentals of <strong>Biometric</strong>s<br />
Figure 2-6 Graphs showing intersection between<br />
FAR and FRR for verification. 20<br />
typical performance measures quoted by biometric<br />
technology vendors.<br />
False accept rates (FAR) indicate the likelihood that a<br />
“zero effort” impostor may be falsely accepted by the system.<br />
False reject rates (FRR) indicate the likelihood that<br />
the genuine user may be rejected by the system. These<br />
decision errors can often be manipulated by the setting<br />
of a threshold that will bias the device toward one form<br />
of error or another. Thus, an integrator or system administrator<br />
can bias the device towards a larger probability<br />
of false accepts but a smaller probability of false rejects<br />
(user friendly), or, vice versa, towards a larger number of<br />
false rejects and a smaller number of false accepts (user<br />
unfriendly). The two parameters, however, are typically<br />
mutually exclusive.<br />
20 Facial Recognition <strong>Biometric</strong>s: Applying New Concepts on Performance<br />
Improvement and Quality Assessment. Babak Goudarzi Pour and Marcus<br />
Zackrisson. Page 34. May 2003.<br />
Version 2 – Summer 2008
<strong>Biometric</strong> <strong>Technology</strong> <strong>Application</strong> <strong>Manual</strong> Section 2 31<br />
Between the two extremes of FAR and FRR lies the equal<br />
error point or cross-over rate where the two values are<br />
equal, and which represents a simpler, but perhaps less<br />
useful, measure of performance than simply FAR or FRR<br />
rates alone. These measures are expressed in percentage<br />
(of error transactions) terms, with an equal error rate of<br />
somewhere between 0.1 percent and 10 percent being<br />
typical performance in real applications.<br />
It is important to remember that the quoted performance<br />
figures for a given system may not be realized in practice<br />
for a number of reasons. Including:<br />
•<br />
•<br />
•<br />
•<br />
•<br />
•<br />
•<br />
•<br />
User training<br />
User discipline<br />
User familiarity with the device<br />
User stress<br />
Individual device condition<br />
User interface design<br />
Speed of device response<br />
External environment; environmental conditions<br />
Vendor quoted statistics may be based upon limited tests<br />
conducted by the vendor under controlled laboratory<br />
conditions, supplemented by mathematical theory. They<br />
should only be viewed as a rough guide and not relied<br />
upon for actual system performance expectations. This<br />
is not because biometrics vendors are trying to mislead,<br />
but because it is almost impossible to provide an accu-<br />
Version 2 – Summer 2008
Section 2 32 Fundamentals of <strong>Biometric</strong>s<br />
rate and repeatable indication of how a device will perform<br />
in a limitless variety of real-world conditions.<br />
Similarly, actual enrollment times will depend upon a<br />
number of variables inherent in the enrollment procedure.<br />
Some questions to consider include:<br />
•<br />
•<br />
•<br />
•<br />
•<br />
•<br />
•<br />
Are the users pre-educated as to system requirements<br />
and use?<br />
Have they used the device before?<br />
What information is being provided to users about<br />
the quality of their submitted biometric samples?<br />
Is custom software being used?<br />
Is the enrolling administrator adequately trained?<br />
How many enrollment points will be operated?<br />
What other processes are involved?<br />
Individual biometric vendors or integrators cannot possibly<br />
understand or know these variables for every system<br />
and, as such, quoted figures will be based upon their<br />
own in-house experiences under controlled conditions,<br />
usually with trained and cooperative users.<br />
Verification time is also often misunderstood as vendors<br />
will typically describe the average time taken for the<br />
actual verification process, which does not typically include<br />
the time taken to present the live sample or undertake<br />
other processes such as presentation of the token<br />
or keying of a personal identification number (PIN).<br />
Consider also the average time for user error and system<br />
Version 2 – Summer 2008
<strong>Biometric</strong> <strong>Technology</strong> <strong>Application</strong> <strong>Manual</strong> Section 2 33<br />
response, and it is apparent that the end-to-end verification<br />
transaction time may often be different from the<br />
quoted figure.<br />
Given these examples, it is no surprise that biometric device<br />
performance measures have sometimes become a<br />
contentious issue when implementing systems under actual<br />
operating conditions.<br />
Template Storage Considerations<br />
Template management is directly linked to privacy, security,<br />
and convenience. All biometric systems face a common<br />
issue—biometric templates must be stored somewhere.<br />
Templates must be protected to prevent identity<br />
theft and to protect the privacy of users.<br />
Possible locations for biometric template storage include:<br />
•<br />
•<br />
•<br />
•<br />
•<br />
•<br />
•<br />
•<br />
The biometric device or reader<br />
A personal computer disk drive<br />
A central computer database that is accessed remotely<br />
(i.e., database)<br />
A card or token with a bar code or magnetic stripe<br />
RFID cards and tags<br />
Optical memory cards<br />
Smart cards<br />
A USB interface device<br />
Version 2 – Summer 2008
Section 2 34 Fundamentals of <strong>Biometric</strong>s<br />
<strong>Biometric</strong> databases and the issues surrounding them typically<br />
come into play with identification, or one-to-many comparison,<br />
systems where biometric templates of all users are maintained<br />
and housed. When a user needs access, he/she presents his/her<br />
live biometric to the reader and the system performs a comparison<br />
against all references in the database, concluding either a<br />
match or no-match with corresponding access privileges.<br />
The issues surrounding biometric databases primarily concern<br />
the safeguarding of large and valuable collections of personally<br />
identifying information. If such databases are part of an important<br />
security system, they—and the channels used to share the<br />
personally identifying information—are natural targets for attack,<br />
theft, compromise, and malicious or fraudulent use. Security for<br />
template storage in databases is also affected by the number of<br />
uses for that database: Will it have a unique use or will it be used<br />
for multiple security purposes?<br />
For example, a facility manager might use a fingerprint reader<br />
for physical access control to a building. The manager might<br />
also want to use the same fingerprint template database for<br />
his employees to access their computer network. Should the<br />
manager use separate databases for these different uses, or is<br />
he willing to risk accessing employee fingerprint templates<br />
from remote location for multiple purposes, even if those<br />
templates are not the actual fingerprint images but only derived<br />
characteristics?<br />
These issues also concern the need to maintain reliable, up-todate<br />
information about the enrolled users. Databases that seek<br />
to maintain accurate residence information, for example, must<br />
be updated as soon as one moves. Databases that are used<br />
to establish eligibility for benefits must be updated to exclude<br />
persons who are no longer eligible. The broader the function<br />
of the system, the more often and broader the updating is<br />
required.<br />
Version 2 – Summer 2008
<strong>Biometric</strong> <strong>Technology</strong> <strong>Application</strong> <strong>Manual</strong> Section 2 35<br />
<strong>Biometric</strong> technology and system vendors could claim privacy<br />
protection via encryption or hashing 21 the biometric data or designing<br />
the database to enforce a privacy policy. Users, however,<br />
have no way to verify whether such technical protections<br />
are effective or implemented properly. Users should be able to<br />
verify any such claims and to leave the system completely if they<br />
are not satisfied. Exiting the system should, at the very least,<br />
include the deletion of the user’s biometric data and corresponding<br />
records.<br />
Transaction Storage<br />
This is an important area where a secure audit trail may be critical.<br />
Some devices will store a limited number of transactions<br />
internally, scrolling over as new transactions are received. Depending<br />
on the extent of the audit trail and “transaction history”<br />
that is required, it might be beneficial to have each biometric device<br />
connected directly to a local PC that may, in turn, be polled<br />
periodically in order to download transactions to a central point.<br />
A local procedure for dealing with error and exceptional conditions<br />
should be adopted, which will require some type of local<br />
messaging. This may be as simple as a relay closure in the event<br />
of a failed transaction, activating an annunciator of some type.<br />
Transaction Management<br />
How the network handles transactions may be of critical importance<br />
in some applications. For example, if multiple terminals<br />
are distributed within a large facility, each requiring a real-time<br />
21 Hash values are used for accessing data or for security. A hash value<br />
is a number generated from a string of text. Hashing is a common<br />
method of accessing data records, typically using a hash table.<br />
Version 2 – Summer 2008
Section 2 36 Fundamentals of <strong>Biometric</strong>s<br />
display of information, this will require fast and reliable<br />
messaging transmission. Each terminal user may wish to<br />
“hold” a displayed transaction until a response has been<br />
initiated. This will require a separate local message buffer<br />
and possibly a message prioritization methodology<br />
to ensure that critical messages are dealt with promptly.<br />
Standards<br />
The biometrics industry includes more than 150 22 separate<br />
hardware and software vendors, each with their own<br />
proprietary interfaces, algorithms, performance parameters,<br />
and integration requirements. Standards are emerging<br />
to provide a common application software interface<br />
and template data formats that might more efficiently<br />
allow cross-sharing of biometric templates and permit<br />
effective (apples-to-apples) comparison and evaluation<br />
of various biometric technologies. A more detailed discussion<br />
of <strong>Biometric</strong> Standards is presented in Section 5:<br />
<strong>Biometric</strong> Standards.<br />
22 According to A Practical Guide to <strong>Biometric</strong> Security <strong>Technology</strong>. Simon<br />
Liu and Mark Silverman. IT Professional. IEEE Computer Society.<br />
® Jan-Feb 2001 IEEE. Used with permission.<br />
Version 2 – Summer 2008
<strong>Biometric</strong> <strong>Technology</strong> <strong>Application</strong> <strong>Manual</strong> Section 2 37<br />
Terms and Definitions Related to <strong>Biometric</strong>s<br />
10-Print Card A paper form used to collect both an individual’s<br />
personal and demographic information<br />
along with flat and rolled ink<br />
impression fingerprint images. Mainly<br />
used in conjunction with an Automated<br />
Fingerprint Identification System<br />
(AFIS).<br />
10-Print Match or<br />
Identification<br />
Version 2 – Summer 2008<br />
A positive identification of an individual<br />
by corresponding each of his/her 10<br />
fingerprints to those in a system of record.<br />
Usually performed by an AFIS system<br />
and verified by a human fingerprint<br />
examiner.<br />
Access Control Process of granting (or denying) access.<br />
Acquisition Device The hardware used to acquire biometric<br />
samples or images.<br />
Active Imposter<br />
Acceptance<br />
Acceptance of a biometric sample submitted<br />
by someone actively attempting to<br />
gain illegal entry to a biometric system.<br />
AFIS Automated fingerprint identification<br />
system.<br />
Algorithm A sequence of instructions that tells a<br />
system how to solve a problem. Used<br />
by biometric systems, for example, to<br />
tell whether a sample and a template<br />
are from the same person (a “match”).<br />
Cryptographic algorithms are used to<br />
encrypt sensitive data files, to encrypt<br />
and decrypt messages, and to digitally<br />
sign documents.
Section 2 38 Fundamentals of <strong>Biometric</strong>s<br />
AND (Anding)/<br />
OR (Oring)<br />
Process<br />
In multi-modal applications, sometimes<br />
used to describe whether two or<br />
more biometrics must all be successfully<br />
matched (Anding) or if any match is successful<br />
(Oring). See also Asynchronous<br />
Multi-Modality.<br />
ANSI American National Standards Institute, a<br />
private, non-profit organization that administers<br />
and coordinates the U.S. voluntary<br />
standardization and conformity<br />
assessment system.<br />
API <strong>Application</strong> Program Interface. A computer<br />
code that is a set of instructions or<br />
services used to standardize an application.<br />
Any system compatible with the<br />
API can then be added or interchanged<br />
by the application developer.<br />
<strong>Application</strong> How a biometric is used. For example,<br />
access control, logical access, etc.<br />
<strong>Application</strong><br />
Developer<br />
An individual entrusted with developing<br />
and implementing a biometric application.<br />
<strong>Application</strong> Profile Conforming subsets or combinations of<br />
base standards used to provide specific<br />
functions. <strong>Application</strong> profiles identify<br />
the use of particular options available in<br />
base standards and provide a basis for interchange<br />
of data between applications<br />
and interoperability of systems.<br />
ASIC <strong>Application</strong> Specific Integrated Circuit.<br />
An integrated circuit developed for specific<br />
applications to improve performance.<br />
Version 2 – Summer 2008
<strong>Biometric</strong> <strong>Technology</strong> <strong>Application</strong> <strong>Manual</strong> Section 2 39<br />
Asynchronous<br />
Multi-Modality<br />
Version 2 – Summer 2008<br />
Systems that require a user to verify<br />
himself/herself through more than one<br />
biometric in sequence. Asynchronous<br />
multimodal solutions are comprised of<br />
one, two, or three distinct authentication<br />
processes. A typical user interaction will<br />
consist of verification on finger scan, then<br />
face, if finger is successful.<br />
Attack Any attempt (physical or electronic) to<br />
defeat the biometric system/subsystem<br />
or any of its components.<br />
Attempt The submission of one or more biometric<br />
samples to a biometric system for identification<br />
or verification. A biometric system<br />
may allow more than one attempt to<br />
identify or verify.<br />
Attribute<br />
Authority<br />
An entity, recognized by a Certificate<br />
Management Authority, as having the<br />
authority to verify the association of attributes<br />
to an identity.<br />
Audit Trail In computer/network systems, record of<br />
events (protocols, written documents,<br />
and other evidence) that can be used to<br />
trace the activities and usage of a system.<br />
Such material is crucial when tracking<br />
down successful attacks/attackers, determining<br />
how the attacks happened, and<br />
being able to use this evidence in a court<br />
of law.
Section 2 40 Fundamentals of <strong>Biometric</strong>s<br />
Authentication The process of establishing the validity<br />
of the user attempting to gain access to a<br />
system. Primary authentication methods<br />
include:<br />
Authentication<br />
Routine<br />
Automated<br />
Fingerprint<br />
Identification<br />
System (AFIS)<br />
Automatic ID /<br />
Auto ID<br />
•<br />
•<br />
•<br />
Access passwords (something you<br />
know)<br />
Access tokens (something you have)<br />
<strong>Biometric</strong>s (who you are)<br />
A cryptographic process used to validate<br />
a user, card, terminal, or message contents.<br />
Also known as a handshake, the<br />
routine uses important data to create a<br />
code that can be verified in real time or<br />
batch mode.<br />
A specialized biometric system that<br />
compares a single finger image with a<br />
database of fingerprint images. In law<br />
enforcement, AFIS is used to collect<br />
fingerprints from criminal suspects and<br />
crime scenes. In civilian life, fingerprint<br />
scanners are used to identify employees,<br />
protect sensitive data, etc.<br />
An umbrella term for any biometric system<br />
or other security technology that<br />
uses automatic means to check identity.<br />
This applies to both one-to-one verification<br />
and one-to-many identification.<br />
Base Standard Fundamental and generalized procedures.<br />
Provide an infrastructure that can<br />
be used by a variety of applications, each<br />
of which can make its own selection from<br />
the options offered.<br />
Version 2 – Summer 2008
<strong>Biometric</strong> <strong>Technology</strong> <strong>Application</strong> <strong>Manual</strong> Section 2 41<br />
Behavioral<br />
<strong>Biometric</strong><br />
Version 2 – Summer 2008<br />
A biometric that is characterized by a behavioral<br />
trait that is learned and acquired<br />
over time rather than a physiological<br />
characteristic. Examples include speech<br />
and signature.<br />
Bifurcation The point in a fingerprint when a ridge<br />
divides or splits to form two ridges that<br />
continue past the point of division for a<br />
distance that is at least equal to the spacing<br />
between adjacent ridges at the point<br />
of bifurcation.<br />
BioAPI BioAPI v2.0, developed by the Bio-API<br />
Consortium and released in March 2000,<br />
was designed to produce a standard<br />
biometric API aiding developers and<br />
consumers.<br />
<strong>Biometric</strong> (noun) One of various technologies that utilize<br />
behavioral and biological characteristics<br />
to recognize individuals.<br />
<strong>Biometric</strong>s (noun) Field relating to biometric recognition.<br />
<strong>Biometric</strong><br />
(adjective)<br />
<strong>Biometric</strong><br />
<strong>Application</strong><br />
<strong>Biometric</strong><br />
<strong>Application</strong><br />
Programming<br />
Interface (BAPI)<br />
Of or pertaining to technologies that utilize<br />
behavioral and biological characteristics<br />
to recognize individuals.<br />
The specific use to which a biometric<br />
system is put. See also “<strong>Application</strong><br />
Developer.”<br />
An API that allows the programmer to<br />
develop applications for a broad range<br />
of virtual biometric devices without<br />
knowing the specific capabilities of the<br />
device. The API is comprised of three<br />
distinct levels of functionality, from high<br />
device abstraction to low (device specific)<br />
abstraction.
Section 2 42 Fundamentals of <strong>Biometric</strong>s<br />
<strong>Biometric</strong> Data The extracted information taken from<br />
the biometric sample and used either to<br />
build a template or reference or to compare<br />
against a previously created template<br />
or reference.<br />
<strong>Biometric</strong> Engine The software element of the biometric<br />
system that processes biometric data during<br />
the stages of enrollment and capture,<br />
extraction, comparison, and matching.<br />
<strong>Biometric</strong><br />
Identification<br />
Device or Product<br />
The preferred term is “<strong>Biometric</strong> System”<br />
or subsystem, but may also refer to<br />
a component of the system or subsystem.<br />
<strong>Biometric</strong> Sample The identifiable, unprocessed image or<br />
recording of a biological and behavioral<br />
characteristic, acquired during enrollment,<br />
and used to generate biometric<br />
templates or references. Also referred to<br />
as biometric data.<br />
Version 2 – Summer 2008
<strong>Biometric</strong> <strong>Technology</strong> <strong>Application</strong> <strong>Manual</strong> Section 2 43<br />
<strong>Biometric</strong> System<br />
or Subsystem<br />
Version 2 – Summer 2008<br />
The integrated biometric hardware and<br />
software used to conduct biometric identification<br />
or verification. It is an automated<br />
system capable of:<br />
•<br />
•<br />
•<br />
•<br />
•<br />
Capturing a biometric sample from<br />
an end-user;<br />
Extracting biometric data from that<br />
sample;<br />
Comparing the biometric data<br />
with that contained in one or more<br />
templates;<br />
Deciding how well they match; and<br />
Indicating whether or not a recognition<br />
of the individual has been<br />
achieved.<br />
The biometric system may be referred to<br />
as a “subsystem” when it is a fully integrated<br />
part of a larger (holistic) security<br />
system. Alternatively, a biometric subsystem<br />
could be an operating component<br />
of the biometric system. For example, an<br />
enrollment station with specially configured<br />
readers/images may be referred to<br />
as a biometric subsystem.
Section 2 44 Fundamentals of <strong>Biometric</strong>s<br />
<strong>Biometric</strong><br />
Taxonomy<br />
<strong>Biometric</strong><br />
<strong>Technology</strong><br />
Breeder<br />
Document<br />
A method of classifying biometrics. For<br />
example, San Jose State University’s<br />
(SJSU’s) biometric taxonomy uses partitions<br />
to classify the role of biometrics<br />
within a given biometric application. An<br />
application may be classified as:<br />
•<br />
•<br />
•<br />
•<br />
•<br />
Cooperative v. Non-cooperative User<br />
Overt v. Covert <strong>Biometric</strong> System<br />
Habituated v. Non-habituated User<br />
Supervised v. Unsupervised User<br />
Standard equipment v. Non-standard<br />
equipment<br />
A classification of a biometric system by<br />
the type of biometric.<br />
Synonym for “source documents”, that<br />
provide some basis for claims to identity<br />
for biometric enrollment, such as passports,<br />
birth certificates, driver licenses,<br />
government or private sector organizational<br />
identity cards, program eligibility<br />
identity cards, etc.<br />
Version 2 – Summer 2008
<strong>Biometric</strong> <strong>Technology</strong> <strong>Application</strong> <strong>Manual</strong> Section 2 45<br />
Buffer Overflow Most common cause of security vulnerabilities.<br />
This occurs when more data is<br />
put into a temporary data storage area<br />
(buffer) than the buffer can hold. Because<br />
buffers can only hold a finite amount of<br />
data, the extra information can overflow<br />
into adjacent buffers, corrupting or<br />
overwriting the data in them. Programming<br />
errors are one of the most frequent<br />
causes of buffer overflow problems. In<br />
attacks that exploit buffer vulnerabilities,<br />
extra data is sent to the buffer with<br />
code designed to trigger specific actions,<br />
which can damage files, change data, or<br />
disclose confidential information. Buffer<br />
overflow attacks may arise from poor use<br />
of the C programming language.<br />
Capture The method of taking a biometric sample<br />
from the end user.<br />
CBEFF Common <strong>Biometric</strong> Exchange File Format<br />
that describes a set of data elements<br />
necessary to support biometric technologies<br />
in a common way. These data can be<br />
placed in a single file used to exchange<br />
biometric information between different<br />
system components or between systems.<br />
The result promotes interoperability of biometric-based<br />
application programs and<br />
systems developed by different vendors<br />
by allowing biometric data interchange.<br />
Version 2 – Summer 2008
Section 2 46 Fundamentals of <strong>Biometric</strong>s<br />
Certificate A digital representation of information<br />
which identifies the certification authority<br />
issuing it, names/identifies its subscriber,<br />
contains the subscriber’s public<br />
key, identifies its operational period, and<br />
is digitally signed by the certification authority<br />
issuing it.<br />
Certificate<br />
Authority<br />
An authority trusted by one or more users<br />
to create and assign certificates.<br />
Certification The process of testing a biometric system<br />
to ensure that it meets certain performance<br />
criteria. Systems that meet the<br />
testing criteria pass and are certified by<br />
the testing organization.<br />
Chaotic<br />
Morphogenesis<br />
A reference to an aspect of genetic development<br />
that results in the unique value<br />
of a specific human characteristic. It describes<br />
how some human features appear<br />
to develop on a totally random basis (for<br />
example, the iris).<br />
Claim of Identity When a user name, PIN, password, token,<br />
or card accompanies a biometric sample<br />
submitted to a biometric verification system<br />
to claim a similarity of bodily source<br />
with an enrolled template.<br />
Claimant A person submitting a biometric sample<br />
for verification or identification while<br />
claiming a legitimate or false identity.<br />
Closed-Set<br />
Identification<br />
When an unidentified end-user is known<br />
to be enrolled in the biometric system.<br />
Opposite of “Open-Set Identification.”<br />
Version 2 – Summer 2008
<strong>Biometric</strong> <strong>Technology</strong> <strong>Application</strong> <strong>Manual</strong> Section 2 47<br />
Common Criteria Standard that provides a comprehensive,<br />
rigorous method for specifying function<br />
and assurance requirements for products<br />
and systems. This term is generally and almost<br />
exclusively used by the information/<br />
computer security community.<br />
Compare/<br />
Comparison<br />
Contact/<br />
Contactless<br />
Crossover Error<br />
Rate (CER)<br />
Version 2 – Summer 2008<br />
The process of comparing a biometric<br />
sample against a previously stored template<br />
and scoring the level of similarity.<br />
An accept or reject decision of a claim to<br />
similarity or non-similarity is then based<br />
upon this score. See also “One-to-One”<br />
and “One-to-Many.”<br />
In regard to chip cards, whether the card<br />
is read by direct contact with a reader or<br />
has a transmitter/receiver system that allows<br />
it to be read using radio frequency<br />
(RF) technology up to a certain distance.<br />
A comparison metric for different<br />
biometric devices and technologies. The<br />
error rate at which FAR equals FRR.<br />
The lower the CER, the more accurate<br />
and reliable the biometric device. Synonym<br />
for “Equal Error Rate” (EER).<br />
D Prime A statistical measure of how well a<br />
biometric system can discriminate<br />
between different individuals. The larger<br />
the D Prime value, the better a biometric<br />
system is at discriminating between<br />
people.
Section 2 48 Fundamentals of <strong>Biometric</strong>s<br />
Degrees of<br />
Freedom<br />
The number of statistically independent<br />
features or virtual features in biometric<br />
data.<br />
Digital Signature Transformation of a message using an<br />
asymmetric cryptosystem such that a<br />
person who has the initial message and<br />
the signer’s public key can accurately determine<br />
whether the transformation was<br />
created using the private key that corresponds<br />
to the signer’s public key and<br />
whether the initial message has been altered<br />
since the transformation was made.<br />
The encryption of a message digest with<br />
a private key.<br />
Discriminant<br />
Training<br />
A means of refining the extraction algorithm<br />
so that biometric data from different<br />
individuals are as distinct as possible.<br />
Ear Shape A lesser-known physical biometric that is<br />
characterized by the shape of the outer<br />
ear, lobes, and bone structure.<br />
Eigenface A method of representing a human face<br />
as a linear deviation from a mean or average<br />
face.<br />
Eigenhead The three dimensional version of Eigenface<br />
that also analyzes the shape of the<br />
head.<br />
Encryption Transforming a test into code in order to<br />
conceal its meaning. For example, the<br />
process of transforming data to an unintelligible<br />
form in such a way that the<br />
original data either cannot be obtained<br />
(one-way encryption) or cannot be obtained<br />
without using the inverse decryption<br />
process.<br />
Version 2 – Summer 2008
<strong>Biometric</strong> <strong>Technology</strong> <strong>Application</strong> <strong>Manual</strong> Section 2 49<br />
End User A person who interacts with a biometric<br />
system to enroll or have his/her identity<br />
checked.<br />
End User<br />
Adaptation<br />
Version 2 – Summer 2008<br />
The process of adjustment whereby a<br />
participant in a test becomes familiar<br />
with what is required and alters his/her<br />
responses accordingly.<br />
Enrollee A person who has a biometric template<br />
on file.<br />
Enrollment The process of collecting biometric samples<br />
from a person and the subsequent<br />
preparation and storage of biometric<br />
templates representing that person.<br />
Enrollment Time The time period a person must spend to<br />
have his/her biometric template successfully<br />
created.<br />
Equal Error Rate<br />
(EER)<br />
The proportion of false rejections that<br />
will be approximately equal to the proportion<br />
of false acceptances when the<br />
threshold is appropriately set. A synonym<br />
for “Crossover Error Rate” (CER).<br />
Extraction The process of converting a captured<br />
biometric sample into biometric data so<br />
that it can be compared to a template.<br />
Face Monitoring A biometric application of face recognition<br />
technology where the biometric system<br />
monitors the attendance of an end<br />
user at a desktop.<br />
Facial<br />
Thermography<br />
A specialized face recognition technique<br />
that senses heat in the face caused by the<br />
flow of blood under the skin.<br />
Failure to Acquire Failure of a biometric system to capture<br />
and extract biometric data.
Section 2 50 Fundamentals of <strong>Biometric</strong>s<br />
Failure to Acquire<br />
Rate<br />
The frequency of failure to acquire.<br />
False Acceptance Wrongly verifying a false claim regarding<br />
enrollment or non-enrollment in a<br />
biometric database. Also knows as “Type<br />
II error.”<br />
False Acceptance<br />
Rate (FAR)<br />
The probability that a biometric system<br />
will wrongly accept a false claim regarding<br />
enrollment or non-enrollment in a<br />
database. Also known as “Type II error<br />
rate.” It is stated as follows:<br />
• FAR = NFA / NIIA or<br />
•<br />
•<br />
•<br />
•<br />
•<br />
FAR = NFA / NIVA<br />
Where FAR is the false acceptance<br />
rate<br />
NFA is the number of false acceptances<br />
NIIA is the number of impostor identification<br />
attempts<br />
NIVA is the number of impostor verification<br />
attempts<br />
Version 2 – Summer 2008
<strong>Biometric</strong> <strong>Technology</strong> <strong>Application</strong> <strong>Manual</strong> Section 2 51<br />
False Match Rate The probability that a biometric sample<br />
and a template not from the same source<br />
will be wrongly judged to be from the<br />
same source. Used to avoid confusion in<br />
applications that reject the claimant if his/<br />
her biometric data matches that of an enrollee.<br />
In such applications, the concepts<br />
of acceptance and rejection are reversed,<br />
thus reversing the meaning of “False Acceptance”<br />
and “False Rejection.” See<br />
also “False Non-Match Rate.”<br />
False Non-Match<br />
Rate<br />
Version 2 – Summer 2008<br />
The probability that a biometric sample<br />
and a template from the same source will<br />
be wrongly judged not to be a match.<br />
Used to avoid confusion in applications<br />
that reject the claimant if his/her biometric<br />
data matches that of an enrollee.<br />
In such applications, the concepts of acceptance<br />
and rejection are reversed,<br />
thus reversing the meaning of “False Acceptance”<br />
and “False Rejection.” See also<br />
“False Match Rate.”<br />
False Rejection The failure of a biometric system to verify<br />
the legitimate claim of a user to enrollment<br />
or non-enrollment in the system.<br />
Also known as a “Type I error.”
Section 2 52 Fundamentals of <strong>Biometric</strong>s<br />
False Rejection<br />
Rate (FRR)<br />
The probability that a biometric system<br />
will fail to accept a true claim of enrollment<br />
or non-enrollment in a database.<br />
Also knows as a “Type I error rate.” It is<br />
stated as follows:<br />
• FRR = NFR / NEIA or<br />
•<br />
•<br />
•<br />
•<br />
•<br />
FRR = NFR / NEVA<br />
Where FRR is he false rejection rate<br />
NFR is the number of false rejections<br />
NEIA is the number of enrollee identification<br />
attempts<br />
NEVA is the number of enrollee verification<br />
attempts<br />
Field Test A trial of a biometric application in a<br />
“real world” setting, as opposed to laboratory<br />
conditions.<br />
Finger Image A two-dimensional picture of the patterns<br />
found in the tip of the finger.<br />
Version 2 – Summer 2008
<strong>Biometric</strong> <strong>Technology</strong> <strong>Application</strong> <strong>Manual</strong> Section 2 53<br />
Fingerprint/<br />
Fingerprinting<br />
Fingerprint<br />
Scanning<br />
Version 2 – Summer 2008<br />
Fingerprints are the “traces” of minute<br />
ridges and valleys found on the finger of<br />
every person. In the fingers and thumbs,<br />
these ridges form basic patterns such as<br />
loops, whorls, and arches, and also have<br />
finer level of details, such as ridge bifurcation<br />
and endings, pore placement<br />
on the ridge, and feathering of ridge<br />
boundaries.<br />
Acquisition and recognition of a person’s<br />
fingerprint characteristics for identifying<br />
purposes. This allows the recognition of<br />
a person through quantifiable biological<br />
characteristics.<br />
Fingerprint Sensor Part of a biometric device used to capture<br />
a fingerprint image for subsequent<br />
processing.<br />
Foundation<br />
Documents<br />
Synonym for source documents that provide<br />
the basis for claims to identity for<br />
biometric enrollment. Source documents<br />
include; passports; birth certificates; driver<br />
licenses; government or private sector<br />
organizational identity cards, program<br />
eligibility identity cards, etc.<br />
Friction Ridge The ridges present on the skin of the fingers<br />
and toes, the palms and soles of the<br />
feet, which make contact with an incident<br />
surface under normal touch. On the fingers,<br />
unique patterns formed by the friction<br />
ridges make up fingerprints.<br />
Genetic<br />
Penetrance<br />
The degree to which characteristics are<br />
passed from generation to generation<br />
through inherited DNA.
Section 2 54 Fundamentals of <strong>Biometric</strong>s<br />
Hash Function A function that maps a variable-length<br />
data block or message into a fixed-length<br />
value called a message digest or hash<br />
code. The function is designed so that,<br />
when protected, it provides an authenticator<br />
for the data or message, because<br />
any alteration in the original message will<br />
produce a very different hash or digest<br />
value. The most widely-used hash function,<br />
called Secure Hash Algorithm-1 (SHA-1),<br />
was developed by NIST to be used with<br />
the Digital Signature Algorithm and was<br />
published in 1995 as FIPS 180-1.<br />
Hashing Hash values are used for accessing data<br />
or for security. A hash value is a number<br />
generated from a string of text. Hashing<br />
is a common method of accessing<br />
data records, typically using a hash table.<br />
Hashing is not the same as encryption.<br />
IAFIS Integrated Automated Fingerprint Identification<br />
System, implemented in July<br />
1999 to replace the former paper-based<br />
system for identifying and searching<br />
criminal history fingerprint records. It<br />
supports a law enforcement agency’s<br />
ability to digitally record fingerprints<br />
and electronically exchange information<br />
with the FBI.<br />
Version 2 – Summer 2008
<strong>Biometric</strong> <strong>Technology</strong> <strong>Application</strong> <strong>Manual</strong> Section 2 55<br />
Identification /<br />
Identify<br />
Version 2 – Summer 2008<br />
The one-to-many process of comparing<br />
a submitted biometric sample against all<br />
of the biometric templates on file to determine<br />
whether it matches any of the<br />
templates and, if so, returns the identity<br />
of the enrollee whose template was<br />
matched. The biometric system using<br />
the one-to-many approach is seeking to<br />
find an identity match with a database<br />
of identity records rather than verify a<br />
claimed identity. Contrast with “Verification”<br />
as a type of recognition.<br />
Identifier A unique data string used as a key in the<br />
biometric system to point to a person’s<br />
identity record and its associated attributes.<br />
An example of an identifier could<br />
be a passport number.<br />
IEC International Electrotechnical Commission,<br />
a non-profit standards organization<br />
dedicated to catalyzing positive change<br />
in the information industry and its university<br />
communities.<br />
Impostor /<br />
Imposter<br />
A person who submits a biometric sample<br />
in either an intentional or inadvertent attempt<br />
to pass him/herself off as another<br />
person who is an enrollee.<br />
INCITS International Committee for Information<br />
<strong>Technology</strong> Standards, the primary U.S.<br />
standards body in the field of information<br />
and communications technologies.<br />
Information<br />
Assurance (IA)<br />
Information operations that protect and<br />
defend information and information systems<br />
by ensuring their confidentiality,<br />
authentication, availability, integrity, and<br />
non-repudiation.
Section 2 56 Fundamentals of <strong>Biometric</strong>s<br />
In-House Test A test carried out entirely within the environs<br />
of the biometric developer, which<br />
may or may not involve external user<br />
participation.<br />
IrisCode ® The biometric template generated for<br />
each live iris presented. The code template<br />
is a mathematical representation of<br />
the features of the iris.<br />
ISO International Standards Organization,<br />
a network of national standards bodies<br />
from 145 countries working to develop<br />
international standards in partnership<br />
with international organizations, governments,<br />
industry, business, and consumer<br />
representatives.<br />
<strong>ITI</strong> Information <strong>Technology</strong> Industry Council,<br />
a trade association for U.S. providers<br />
of IT products and services.<br />
JTC 1 Joint Technical Committee 1, the technical<br />
committee formed under the authority<br />
of ISO/IEC to be responsible for<br />
international standardization in the field<br />
of IT.<br />
Key In encryption and digital signatures, a<br />
string of bits used for encrypting and decrypting<br />
information to be transmitted.<br />
Encryption commonly relies on two different<br />
types of keys, a public and a private<br />
one.<br />
Latent / Latent<br />
Print<br />
An impression of a finger image collected<br />
from a crime scene, for example.<br />
Live Capture The process of capturing a biometric<br />
sample by an interaction between an end<br />
user and a biometric system.<br />
Version 2 – Summer 2008
<strong>Biometric</strong> <strong>Technology</strong> <strong>Application</strong> <strong>Manual</strong> Section 2 57<br />
M1 Technical<br />
Committee on<br />
<strong>Biometric</strong>s<br />
Version 2 – Summer 2008<br />
Established in November 2001 to ensure<br />
a high priority, focused, and comprehensive<br />
approach in the United States for the<br />
rapid development and approval of formal<br />
national and international biometric<br />
standards.<br />
Match / Matching See “Compare / Comparison.”<br />
Minutiae Small details found in finger images such<br />
as ridge endings or bifurcations.<br />
Non-Repudiation Assurance that the sender is provided<br />
with proof of delivery and the recipient is<br />
provided with proof of the sender’s identity<br />
so that neither can later deny having<br />
processed the data.<br />
One-to-Many<br />
(1:N)<br />
The act of comparing stored templates<br />
of many persons to a submitted sample<br />
set from a single person<br />
One-to-One (1:1) The act of comparing a stored template<br />
of a single person to a submitted sample<br />
set from a single person<br />
Open-Set<br />
Identification<br />
Identification, when it is possible that<br />
the individual is not enrolled in the biometric<br />
system. Opposite of “Closed-Set<br />
Identification.”<br />
Optical Sensor Optics-based systems that translate the<br />
illuminated images into digital code for<br />
further software processing, such as enrollment<br />
and authentication.<br />
Out of Set In open-set identification, when the individual<br />
is not enrolled in the biometric<br />
system.
Section 2 58 Fundamentals of <strong>Biometric</strong>s<br />
Passive Impostor<br />
Acceptance<br />
When an impostor submits his/her own<br />
biometric sample and claims the identity<br />
of another person (either intentionally or<br />
inadvertently) he/she is incorrectly identified<br />
or verified by the biometric system.<br />
Compare with “Active Impostor Acceptance.”<br />
Password Security measure used to restrict access<br />
to systems, areas, or information. A password<br />
is a unique string of characters that<br />
a user types in as an identification code.<br />
The system compares the code against a<br />
stored list of authorized passwords and<br />
users. If the code is legitimate, the system<br />
allows the user access at whatever<br />
security level previously approved for the<br />
owner of that password.<br />
Performance<br />
Criteria<br />
Pre-determined criteria established to<br />
evaluate the performance of the biometric<br />
system under test.<br />
PIN Personal Identification Number, used in<br />
conjunction with an access control system<br />
or ATM, for example, as a secondary<br />
credential by the user to ensure the<br />
holder of the card or ID is the authorized<br />
user.<br />
Platen The surface on which a finger or hand is<br />
placed during optical fingerprint or hand<br />
geometry image capture.<br />
Plug-and-Play An industry-wide standard for add-on<br />
hardware that indicates it will configure<br />
itself, thus eliminating the need to set<br />
jumpers and making installation of the<br />
product quick and easy.<br />
Version 2 – Summer 2008
<strong>Biometric</strong> <strong>Technology</strong> <strong>Application</strong> <strong>Manual</strong> Section 2 59<br />
Private Key The part of a key pair to be safeguarded<br />
by the owner. Used to generate a digital<br />
signature, they are used to decrypt information,<br />
including key encryption keys<br />
during key exchange. It is computationally<br />
unfeasible to determine a private key<br />
given the associated public key.<br />
Public Key The part of a key pair that is made public,<br />
usually by posting it to a directory.<br />
A public key can be either a signature<br />
or key exchange key. The signer’s public<br />
signature key is used to verify a digital<br />
signature. Sending an encrypted message<br />
requires use of the recipient’s public key<br />
in the encryption process.<br />
Public Key<br />
Cryptography<br />
(PKC)<br />
Public Key<br />
Infrastructure<br />
(PKI)<br />
Receiver<br />
Operating Curves<br />
Version 2 – Summer 2008<br />
Encryption system using a linked pair of<br />
keys. What one key encrypts, the other<br />
key decrypts.<br />
Portion of the security management infrastructure<br />
dedicated to the management<br />
of keys and certificates used by<br />
public key-based security services. A PKI<br />
is a credentials service; it associates user<br />
and entity identities with public keys. A<br />
well-run PKI is the foundation on which<br />
the trustworthiness of public key-based<br />
security mechanisms rests.<br />
A graph showing how the false rejection<br />
rate and false acceptance rate vary according<br />
to the threshold.<br />
Recognition From the Latin “again” and “to know.”
Section 2 60 Fundamentals of <strong>Biometric</strong>s<br />
Reference Data that represents the biometric<br />
measurement of an enrollee used by a<br />
biometric system for comparison against<br />
subsequently submitted biometric samples.<br />
Alternatively, see “Template.”<br />
“Reference” is a broader term than<br />
“Template” and describes any data used<br />
in the matching process.<br />
Response Time The time period required by a biometric<br />
system to return a decision on identification<br />
or verification of a biometric<br />
sample.<br />
Ridge The raised markings found across the<br />
fingertip.<br />
Ridge Ending The point just beyond that at which a fingerprint<br />
ridge ends. The point at which<br />
the valley in front of the fingerprint ridge<br />
bifurcates.<br />
Version 2 – Summer 2008
<strong>Biometric</strong> <strong>Technology</strong> <strong>Application</strong> <strong>Manual</strong> Section 2 61<br />
Robustness A characterization of the strength of a<br />
security function, mechanism, service,<br />
or solution, and the assurance (or confidence)<br />
that it is implemented and functioning<br />
correctly. For example, the U.S.<br />
Department of Defense has three levels<br />
for robustness:<br />
Version 2 – Summer 2008<br />
• Basic:<br />
Security services and mechanisms<br />
that equate to good commercial<br />
practices.<br />
• Medium:<br />
Security services and mechanisms<br />
that provide for layering of<br />
additional safeguards above good<br />
commercial practices.<br />
• High:<br />
Security services and mechanisms<br />
that provide the most stringent<br />
protection and rigorous security<br />
countermeasures.<br />
Sensor Hardware found on a biometric device<br />
that converts biometric input into electrical<br />
signals and conveys this information<br />
with the attached computer.<br />
Source Documents Used to provide the basis for claims to<br />
identity in biometric enrollment includes;<br />
passports, birth certificates, driver licenses,<br />
government or private sector organizational<br />
identity cards, program eligibility<br />
identity cards, etc. See also Breeder Documents<br />
and Foundation Documents.
Section 2 62 Fundamentals of <strong>Biometric</strong>s<br />
Symmetric Key Encryption methodology in which the<br />
encryptor and decryptor use the same<br />
key, which must be kept secret.<br />
TAG Technical Advisory Group, appointed by<br />
ANSI to represent the ANSI (U.S.) position<br />
in various disciplines to ISO/IEC for development<br />
of international standards. In IT,<br />
INCITS has been appointed TAG to ISO/<br />
IEC JTC 1.<br />
Template See “Reference.” The code that contains<br />
the biometric characteristic or sample<br />
Third Party Test An objective test, independent of a<br />
biometric vendor, usually carried out<br />
entirely within a test laboratory in controlled<br />
environmental conditions.<br />
Threshold<br />
/ Decision<br />
Threshold<br />
The comparison score above or below<br />
which a claim of a match between a sample<br />
and a template is accepted or rejected.<br />
The threshold may be adjustable so that<br />
the biometric system can be more or less<br />
strict, depending on the requirements of<br />
any given biometric application.<br />
Throughput The total time required for one user to<br />
complete the matching transaction in a<br />
biometric system/subsystem. In a verification<br />
type system, it would include the<br />
entry of an identifier or PIN by the user.<br />
Throughput Rate The number of end users that a biometric<br />
system can process within a stated time<br />
interval.<br />
Type I Error Statistical term for rejecting a true<br />
hypothesis.<br />
Type II Error Statistical term for accepting a false<br />
hypothesis.<br />
Version 2 – Summer 2008
<strong>Biometric</strong> <strong>Technology</strong> <strong>Application</strong> <strong>Manual</strong> Section 2 63<br />
User The client of any biometric vendor. The<br />
user must be differentiated from the end<br />
user and is responsible for managing and<br />
implementing the biometric application<br />
rather than actually interacting with the<br />
biometric system.<br />
Validation The process of demonstrating that the<br />
system under consideration meets in all<br />
respects the specification of that system.<br />
Verification /<br />
Verify<br />
Version 2 – Summer 2008<br />
The process of proving as true some<br />
claim about enrollment in a biometric<br />
system. In systems where the user makes<br />
a positive claim to be enrolled as a specific<br />
user, this is done by comparing a<br />
submitted biometric sample against the<br />
biometric template of the single enrollee<br />
whose identity is being claimed. Some<br />
systems, such as those based on the<br />
Daugman iris recognition algorithms,<br />
verify unspecific claims to identity by a<br />
complete search of the enrollment database.<br />
Thus a user’s positive claim to enrollment<br />
in a biometric database can be<br />
accomplished by either a “one-to-one”<br />
or a “one-to-many” search. Verification<br />
is distinguished from identification<br />
in that the user’s “identity record” is not<br />
returned by a verification system. A type<br />
of recognition.<br />
Volatiles A term specific to “body odor” biometric<br />
technology. It is the chemical breakdown<br />
of body odor. (DARPA calls this “emanations.”)<br />
Wavelet Scalar<br />
Quantization<br />
A compression algorithm used to reduce<br />
the size of fingerprint images.
Section 2 64 Fundamentals of <strong>Biometric</strong>s<br />
X9.84 <strong>Biometric</strong>s X9.84 <strong>Biometric</strong>s Management and Security<br />
for the Financial Services Industry.<br />
Specification that defines the minimumsecurity<br />
requirements for effective management<br />
of biometric data for the financial<br />
services industry and the security for<br />
the collection, distribution, and processing<br />
of biometric data.<br />
Zero Effort Attack A casual attempt to defraud a biometric<br />
system in which the impostor falsely<br />
claims to be a randomly chosen enrollee,<br />
submitting the impostor’s own biometric<br />
sample without alteration.<br />
NOTE: The biometric community is not yet in general agreement<br />
on the use of terms and definitions. As a result, even standards<br />
bodies working in this area have yet to produce a definitive glossary.<br />
This glossary is intended to define terms associated with<br />
biometrics as used by NBSP within the BTAM. Where appropriate,<br />
alternative usage is also described.<br />
Version 2 – Summer 2008
<strong>Biometric</strong> <strong>Technology</strong> <strong>Application</strong> <strong>Manual</strong> Section 3 1<br />
Section 3: Types of <strong>Biometric</strong><br />
Technologies<br />
When used for personal identification, biometric technologies<br />
measure and analyze human biological and<br />
behavioral characteristics. Identifying a person’s biological<br />
characteristics is based on direct measurement of a<br />
part of the body, such as fingerprints, hand structure, facial<br />
features, iris patterns, and others. The corresponding<br />
biometric technologies are fingerprint recognition,<br />
hand geometry, facial, and iris recognition, among others.<br />
<strong>Biometric</strong> systems using predominantly behavioral<br />
characteristics are based on data derived from actions,<br />
such as speech and signature, for which the corresponding<br />
biometrics are speaker verification and dynamic signature<br />
analysis. Almost all biometrics, however, incorporate<br />
both biological and behavioral components.<br />
<strong>Biometric</strong>s are an effective personal identifier because<br />
the characteristics measured are distinct to each person.<br />
Unlike other identification methods that use something<br />
a person has, such as an identification card to gain access<br />
to a building, or something a person knows, like a<br />
password or PIN to log on to a computer system, the biometric<br />
characteristics are integral to something a person<br />
is. Because biometrics are tightly bound to an individual,<br />
they are more reliable, cannot be forgotten, and are less<br />
likely to be lost, stolen, or otherwise compromised.<br />
This Section of the BTAM describes in more detail how the<br />
commonly used biometrics function. They are presented in<br />
alphabetical order by type of technology.<br />
Version 2 – Summer 2008
Section 3 2 Types of <strong>Biometric</strong> Technologies<br />
Dynamic Signature Analysis<br />
How the <strong>Technology</strong> Works<br />
Signature recognition authentication or dynamic signature<br />
analysis authenticates identity by measuring and<br />
analyzing handwritten signatures. Dynamic signature<br />
analysis does not rely on the physical appearance of the<br />
signature, but instead on the manner in which a signature<br />
is written, using a stylus on a pressure-sensitive<br />
tablet to track hand movements. This technology measures<br />
how the signature is signed, looking at changes in<br />
pressure, position, and velocity of the pen during the<br />
course of signing, using a pressure-sensitive tablet or<br />
personal digital assistant (PDA).<br />
Some dynamic signature recognition technologies can<br />
also track a person’s natural signature fluctuations over<br />
time. While it may be easy to duplicate the visual appearance<br />
of a signature, it is difficult to duplicate the<br />
behavioral characteristics when someone signs his/her<br />
signature.<br />
Signature verification consists primarily of a specialized<br />
pen (or stylus) and writing tablet, which are connected to<br />
a computer for processing and verification. To begin the<br />
data acquisition phase of enrollment, the individual must<br />
sign his/her name multiple times on the writing tablet.<br />
After the data is acquired, the signature verification system<br />
extracts writer’s behavioral characteristics, including<br />
how long it took the person to sign his/her name;<br />
the pressure applied; the speed in signing the signature;<br />
the overall size of the signature; and the quantity and<br />
various directions of the strokes in the signature, and<br />
uses this information in future comparison of the live<br />
Version 2 – Summer 2008
<strong>Biometric</strong> <strong>Technology</strong> <strong>Application</strong> <strong>Manual</strong> Section 3 3<br />
signature to the enrollment template for the verification<br />
of enrollment claims.<br />
Dynamic signature recognition is considered a “behavioral”<br />
biometric technology, although the handedness of<br />
the user (a biological characteristic) plays a large role in<br />
the method of signing.<br />
Robustness<br />
Dynamic signature analysis devices have proved to be reasonably<br />
accurate in operation and lend themselves to applications<br />
where the signature is an accepted identifier.<br />
One of the suggested advantages for signature verification<br />
is that it has a high level of resistance to impostors.<br />
For example, although it is easy to forge a signature, it is<br />
difficult to mimic the behavioral patterns associated with<br />
signing one’s signature. This technology would work well<br />
in high-value transactions.<br />
Signature verification is considered a non-invasive tool<br />
because people are currently accustomed to providing<br />
a signature to authorize transactions. As a result, there<br />
could be a high level of acceptance on the part of the<br />
end-user for this technology. Using signatures for commerce<br />
is common, so there are virtually no privacy rights<br />
issues involved.<br />
Limitations<br />
Some systems have difficulties with individuals whose<br />
signature changes substantially each time it is written or<br />
with left-handed people.<br />
Version 2 – Summer 2008
Section 3 4 Types of <strong>Biometric</strong> Technologies<br />
There are a number of constraints in the data acquisition<br />
phase:<br />
•<br />
•<br />
•<br />
A signature cannot be too long or too short. If it<br />
is too long, there will be too much behavioral data<br />
presented, and as a result, it will be difficult for the<br />
signature verification system to identify consistent<br />
and unique data points. If a signature is too short,<br />
there will not be enough data present, which will<br />
lead to a higher false accept rate.<br />
The user must complete the enrollment and verification<br />
processes in the same type of environment<br />
and conditions. For example, if the user was standing<br />
in the enrollment phase, but sitting in the verification<br />
phase, and/or resting his/her arm in one<br />
phase but not in the other phase while signing, the<br />
enrollment and verification templates tend to be<br />
substantially different from each other.<br />
Signature verification is prone to an increase in the<br />
level of error rates over time. This happens when the<br />
behavioral characteristics of the signatures are inconsistent<br />
among each other. Users may also have<br />
difficulties in getting acclimated to the use of the<br />
signature tablet, which also increase the chances for<br />
higher error rates.<br />
<strong>Application</strong>s<br />
Despite its user friendliness, long history, and lack of<br />
invasiveness, signature verification has not become a<br />
market leader like other biometric technologies (i.e.,<br />
fingerprint). Some documented applications include:<br />
Chase Manhattan Bank, the first known bank to adopt<br />
Version 2 – Summer 2008
<strong>Biometric</strong> <strong>Technology</strong> <strong>Application</strong> <strong>Manual</strong> Section 3 5<br />
signature verification technology; IRS for verification<br />
purposes in tax returns that have been filed online; and<br />
Charles Schwab & Company for new client applications.<br />
Most likely, the biggest market application for<br />
signature verification will be in document verification<br />
and authorization.<br />
Facial Imaging or Recognition<br />
How the <strong>Technology</strong> Works<br />
Facial imaging or recognition identifies people by comparison<br />
of sample images to stored templates using<br />
mathematical analysis of the groups of acquired pixels.<br />
Facial imaging is not based on common “facial features,”<br />
such as cheeks, nose, chin, and mouth, which cannot be<br />
found reliably by current algorithms. Most systems, however,<br />
must find the eye centers for the purpose of isolating<br />
the face in a large image. Systems using facial recognition<br />
technology capture facial images using digital<br />
cameras and, like their biometric technology counterparts,<br />
generate templates for comparing a live face to a<br />
stored enrollment template. Facial recognition is most<br />
commonly used in the verification mode.<br />
There are four primary methods used by facial imaging<br />
or recognition vendors for generating facial-based<br />
biometric templates and identifications. These include:<br />
1.<br />
“Spectral Decomposition Methods (Eigenfaces and<br />
Local Feature Analysis)”,<br />
Version 2 – Summer 2008
Section 3 6 Types of <strong>Biometric</strong> Technologies<br />
2.<br />
3.<br />
4.<br />
Elastic bunch graph matching,<br />
Support Vector Machines, and<br />
Local Correlation (“texture”) Methods.<br />
“Eigenface”, deriving from the well known mathematical<br />
technique of Principal Component Analysis based on<br />
“eigen vectors”, is a technology with some patents held<br />
by MIT. It uses two dimensional, global grayscale images<br />
to “decompose” a facial image. That is, a facial image is<br />
represented by some combination of factory-set, global<br />
(full face) eigenfaces, added up like overlaid transparencies.<br />
These eigenfaces resemble “ghost” faces. Any face<br />
image can be approximated by some combination of the<br />
ghost-like eigenfaces. The particular weightings of the<br />
factory-standard eigenfaces required to represent the<br />
sample is stored as the template. Matching is then attempted<br />
by comparing the weightings required to represent<br />
a sample face to those stored as the template. If<br />
they are similar, the images may have come from the<br />
same source. Because the basis transparencies are “global”<br />
(looking like an entire face), any change in a sample<br />
facial image changes the required weightings for all of<br />
the eigenface components.<br />
Local Feature Analysis is based on the same principle as<br />
eigenfaces, but each basic factory-set transparency does<br />
not look at all like a “ghost” image. Rather, most of the<br />
basis transparencies are 0 (zero) valued, having non-zero<br />
values over only a small local portion of the face image.<br />
Consequently, it is more flexible in accommodating<br />
changes in facial appearance and/or expressions. The<br />
LFA method uses dozens of features from various areas<br />
of the face. This method is not a global representation<br />
Version 2 – Summer 2008
<strong>Biometric</strong> <strong>Technology</strong> <strong>Application</strong> <strong>Manual</strong> Section 3 7<br />
of the face.<br />
Elastic Bunch Graph Matching (EBGM) was developed by<br />
Professor Christoph von der Malsburg at the University<br />
of Southern California. In this method, a bendable grid is<br />
placed on the face image and Gabor filters of various size,<br />
orientation, and frequency are placed on each vertex of<br />
the grid. The values of the image under the various filters<br />
form a “jet” (a series of numbers) on each vertex of the<br />
grid. These jets are stored as the reference. When a sample<br />
face is compared to the reference, moderate bending<br />
of the grid is allowed to create sample jets of best fit to<br />
the reference.<br />
Support Vector Machines have been successfully used<br />
by vendors, as well. The many thousand individual pixels<br />
of a face image are multiplied by a “kernel” to actually<br />
increase the number of numerical values representing<br />
the face. The kernel is chosen to provide maximum<br />
separation of the various faces in the new, higher dimensional<br />
space.<br />
Local Correlation (“texture”) Methods analysis, also called<br />
“texture mapping,” looks for small regions of similarity<br />
between the pixels of the sample image and pixels of the<br />
template, saved as an entire image. If enough of these regions<br />
can be found and if they are in the same basic areas<br />
of both images, the images are deemed to have come<br />
from the same source.<br />
Version 2 – Summer 2008
Section 3 8 Types of <strong>Biometric</strong> Technologies<br />
There is no clear indication as to which method is most<br />
appropriate for any individual application. More recently,<br />
vendors have begun to combine approaches, producing<br />
hybrid systems.<br />
Variations<br />
“Facial thermography” or thermal imaging is another<br />
type of facial biometric. It is a specialized face recognition<br />
technique that senses heat in the face caused by the<br />
flow of blood under the skin. Thermal imaging systems<br />
can hypothetically be combined with other systems to<br />
produce more accurate authentication applications, or<br />
used separately for different purposes. Developed in the<br />
early 1990s, this technology was initially expensive and<br />
never commercially successful.<br />
For more information on Facial Thermography, see<br />
“Other <strong>Biometric</strong> Technologies.”<br />
Robustness<br />
The concept of recognizing someone by his/her face is<br />
intuitive and the most common means humans use to<br />
identify one another on sight. Because of this, there are<br />
several advantages to using facial recognition, including:<br />
•<br />
Facial recognition can leverage existing databases<br />
that currently house facial images or photographs,<br />
such as a driver license database or mug shots of<br />
criminals. However, the extent to which such “legacy”<br />
files may be useful is dependent on the quality of<br />
the image and nature of the environment (lighting,<br />
etc.) in which the original photo was acquired.<br />
Version 2 – Summer 2008
<strong>Biometric</strong> <strong>Technology</strong> <strong>Application</strong> <strong>Manual</strong> Section 3 9<br />
•<br />
•<br />
•<br />
Facial images can be captured from some distance<br />
away and without any physical contact, providing a<br />
clandestine or covert capability, if needed. For this<br />
reason, facial recognition is perceived as the only biometric<br />
suitable for “surveillance” applications.<br />
Facial recognition can also utilize commercially available<br />
digital camera technology used for video teleconferencing<br />
or close circuit television (CCTV) cameras<br />
used in surveillance applications.<br />
Facial recognition technology is often perceived<br />
as less intrusive than other biometric technologies<br />
where contact with the reader is required.<br />
The covert nature and potential uses of facial recognition<br />
technology can sometimes prompt legal concerns. For a<br />
discussion regarding legal and privacy concerns, refer to<br />
BTAM Section 7, Part 1: Societal Issues.<br />
Limitations<br />
The majority of facial recognition algorithms seem to be<br />
sensitive to variations in Pose angle, Illumination, facial<br />
Expression, and Currency (the PIEC problem). Change<br />
in illumination results in a significant performance drop<br />
and has proven difficult to use these technologies outdoors.<br />
Changing facial position can also have an effect<br />
on performance. Any difference in position between the<br />
query image and a database image can adversely affect<br />
performance. At a difference of 45 degrees, recognition<br />
can be ineffective.<br />
Ideally, for facial recognition systems to perform with relatively<br />
high accuracy, subjects should be photographed<br />
Version 2 – Summer 2008
Section 3 10 Types of <strong>Biometric</strong> Technologies<br />
and enrolled under tightly controlled conditions. Each<br />
subject/user should look directly into the camera and fill<br />
the area of the photo for the automated system to reliably<br />
identify the person, or even detect, his/her face in<br />
the photograph.<br />
Many face verification applications make it mandatory to<br />
acquire images with the same camera. However, some<br />
applications, particularly those used in law enforcement,<br />
allow image acquisition with many camera types. Camera<br />
variation potentially affects system performance as<br />
much as changing illumination.<br />
The surveillance and non-intrusive aspects of facial recognition<br />
technology have a perceived downside in that<br />
they are more adaptable to covert use and raise issues<br />
regarding civil liberties if the scope of use is not carefully<br />
controlled.<br />
It is necessary to keep stored enrollment image templates<br />
up-to-date, since a person’s appearance changes<br />
(both naturally and, sometimes, deliberately) with time<br />
and age. It is recommended to encourage users to update<br />
their facial enrollment template at least every couple<br />
of years.<br />
As mentioned, facial imaging is most commonly used<br />
for verification but NIST suggests that it not be used for<br />
identification. 23<br />
23 According to “Summary of NIST Patriot Act Recommendations.”<br />
See http://www.itl.nist.gov/iad/894.03/pact/NIST_<br />
PACT_REC.pdf<br />
Version 2 – Summer 2008
<strong>Biometric</strong> <strong>Technology</strong> <strong>Application</strong> <strong>Manual</strong> Section 3 11<br />
<strong>Application</strong>s<br />
Unlike other biometric technologies, implementing a facial<br />
recognition system has its own set of challenges that<br />
other technologies may not experience. For example,<br />
other biometric technologies might work in different<br />
kinds of application environments and, to a certain degree,<br />
may not be affected as much by external variables.<br />
With facial recognition, performance can be greatly influenced<br />
by the type of application setting that is used.<br />
<strong>Application</strong> environments for facial recognition systems<br />
can be categorized as “controlled” and “random.” In a<br />
controlled environment, there is not much variation in<br />
the background conditions or lighting. The user will look<br />
into the camera and good quality enrollment and verification<br />
templates will be created. A typical example of a<br />
controlled environment is of a physical access entry at a<br />
location or site.<br />
In a random environment, however, there is more variation.<br />
A typical example of a random setting is in surveillance.<br />
Facial recognition systems have not been successfully<br />
used at airports for such purposes. Results are poor<br />
because the facial recognition system has to identify and<br />
filter faces from different lighting environments, angles,<br />
poses, and different locations with varying background<br />
distractions.<br />
Facial recognition, with heavy operator assistance and<br />
not in the automatic mode, has been used to identify<br />
card counters in casinos. Facial recognition has also been<br />
successful in access control, whether to a location, building,<br />
room, or for computer access. Face recognition has<br />
been successfully applied as a tool for screening individuals<br />
to see if they are already known to the system. This<br />
Version 2 – Summer 2008
Section 3 12 Types of <strong>Biometric</strong> Technologies<br />
is used for fraud prevention when individuals apply for<br />
visas or driver’s licenses. The same technique is used in<br />
some law enforcement jurisdictions during the criminal<br />
booking process to get an immediate indication of the<br />
identity of an arrestee well before a FBI fingerprint check<br />
is conducted.<br />
“Face monitoring” is a biometric application of face recognition<br />
technology where the biometric system monitors<br />
the presence of a user, often at a desktop. This technology<br />
can be overt or covert in nature.<br />
Fingerprint<br />
How the <strong>Technology</strong> Works<br />
Some argue that fingerprint identification was not a true<br />
biometric until the emergence of the more recent fully-<br />
automated systems. More accurately, fingerprints represent<br />
the transition from a manual biometric to the automated<br />
form of the technology.<br />
Fingerprints have long been used to identify people. In<br />
14th century China, they were used as a form of signature.<br />
Today, fingerprint verification technology is the<br />
most prominent biometric technology, used by millions<br />
of people worldwide.<br />
Version 2 – Summer 2008
<strong>Biometric</strong> <strong>Technology</strong> <strong>Application</strong> <strong>Manual</strong> Section 3 13<br />
Figure 3-1 Examples of various fingerprint ridge patterns. 24<br />
It is estimated that the number of possible fingerprint<br />
patterns is 10 to the 48th power. 25 Fingerprint technology<br />
can be used effectively in both verification (1:1) and<br />
identification (1:N) applications.<br />
Fingerprint verification systems work by identifying the<br />
locations of small lines or ridges found in the fingerprint.<br />
They extract features from impressions that are made by<br />
these distinct ridges. Typically, fingerprints are either flat<br />
(capture by placing a finger directly on the scanner) or<br />
rolled (rolling the finger from one edge of the fingernail<br />
to the other). A flat fingerprint is an impression of the<br />
area between the fingertip and the first knuckle, which a<br />
rolled fingerprint also includes an impression of the ridges<br />
on both sides of the finger.<br />
24 Graphic from University of Alabama in Huntsville Integrated <strong>Biometric</strong>s<br />
Laboratory<br />
25 According to Gartner Dataquest.<br />
Version 2 – Summer 2008
Section 3 14 Types of <strong>Biometric</strong> Technologies<br />
Fingerprint-based systems can also be further categorized<br />
into four broad groups: Minutiae-based matching<br />
(analyzing the local structure), direct correlation techniques,<br />
optical comparison, and spectral ridge-pattern<br />
matching (analyzing the ridge or global structure) of the<br />
fingerprint. Most fingerprint technology vendors’ algorithms<br />
analyze minutiae points. The current international<br />
standard for minutiae extraction recognizes two common<br />
characteristics as comprising minutia points: ridge<br />
endings (the end of a ridge) and bifurcations (Y-shaped<br />
split of one ridge into two ridges).<br />
Fingerprint ridge patterns as seen in Figure 3-1 are captured<br />
by the system and groupled into several categories:<br />
left and right loops; whorls; and others.<br />
When fingerprint patterns are captured and analyzed,<br />
about 5% of all fingerprint patterns are arches; 30% are<br />
whorls; and 65% are loops, divided approximately equally<br />
into left and right loops. 26<br />
Ridge Spectral Pattern-based Algorithms<br />
How the <strong>Technology</strong> Works<br />
In matching ridge patterns, the image is divided into<br />
small square areas about five pixels on a side. The<br />
ridge wavelength, direction, and phase displacement<br />
for each small square is encoded and used as the basis<br />
for the biometric template. Ridge pattern matching<br />
26 <strong>Biometric</strong> Technologies. Cynthia Traeger and Howard Falk (doc id<br />
00016761). Faulkner Information Services, a division of Information Today.<br />
2002.<br />
Version 2 – Summer 2008
<strong>Biometric</strong> <strong>Technology</strong> <strong>Application</strong> <strong>Manual</strong> Section 3 15<br />
algorithms use a process<br />
of aligning and overlaying<br />
segments of fingerprint<br />
images to determine similarity.<br />
Minutia-based Algorithms<br />
A typical fingerprint image may<br />
produce between 15 and 70 minutiae,<br />
depending on the portion<br />
of the image captured. The most<br />
prevalent minutiae are ridge endings.<br />
27 Minutiae algorithms plot<br />
the relative position and type of<br />
points (minutiae) where ridge lines<br />
branch apart (bifurcate) or terminate<br />
(end).<br />
Variations<br />
There are a number of variations to fingerprint matching<br />
algorithms and template formats, including optical techniques<br />
- dating to the 1960s and formerly of great interest<br />
to the FBI and direct correlation techniques in which<br />
areas of ridge patterns from fingerprints are directly<br />
overlaid. [Some fingerprinting sensors can detect when<br />
a live finger is presented but cannot tell whether the fin-<br />
27 <strong>Technology</strong> Assessment: Using <strong>Biometric</strong>s for Border Security. U.S.<br />
General Accounting Office. November 2002 pg. 143<br />
28 Graphic from “Fingerprint Matching Using Minutiae and Texture<br />
Features.” Proceedings of the International Conference on Image<br />
Processing (ICIP), Greece. Anil Jain, Arun Ross, Salil Prabhakar. October<br />
2001 IEEE. Used with permission.<br />
Version 2 – Summer 2008<br />
Figure 3-2 Minutia-based fingerprint<br />
image with detected<br />
minutia points marked. 28<br />
® IEEE 2001. Used with<br />
permission.
Section 3 16 Types of <strong>Biometric</strong> Technologies<br />
gerprint on the finger is live or synthetic].<br />
Rolled fingerprints have been used for identification for<br />
decades - most commonly known from police dramas<br />
where the suspect’s fingerprints are inked and rolled<br />
side-to-side on a white paper - and provide an accurate<br />
means of identification. Operators, however, must be<br />
well trained to collect good quality rolled fingerprints;<br />
the process is slow and requires manual rolling of each<br />
of the subject’s fingers by the operator.<br />
Single-finger flats are typically used for verification systems<br />
and/or in small to medium-sized identification systems.<br />
Accuracy and reliability are good for most applications.<br />
Several studies have reasonably shown, though,<br />
that identification accuracy increases substantially as the<br />
number of fingers (and thus fingerprints) used increases,<br />
indicating that at least four fingers should be used for<br />
larger-scale identification systems. Because of this, the<br />
use of multi-finger “slaps” can offer improvements in performance<br />
accuracy and efficiency over the use of singlefinger<br />
flats, especially since four fingerprints can be collected<br />
in each image.<br />
Slap fingerprints (slaps) are taken by simultaneously<br />
pressing the four fingers of one hand onto a scanner or<br />
fingerprint card. Slaps are also known as four-finger simultaneous<br />
plain impressions. They are, simply, multiple<br />
flat fingerprints captured at the same time. Slap fingerprints<br />
have received increasing attention for possible use<br />
in large-scale fingerprint identification systems as a possible<br />
compromise between the use of rolled fingerprints<br />
and single-finger flat fingerprints. A number of issues<br />
must be addressed in order to use slap fingerprints in<br />
an operational system. It is critically important to enroll<br />
Version 2 – Summer 2008
<strong>Biometric</strong> <strong>Technology</strong> <strong>Application</strong> <strong>Manual</strong> Section 3 17<br />
each of the prints in the correct finger order. Enrolling<br />
fingerprints out of sequence can result in increased user<br />
errors and false rejections. Operationally, slap fingerprint<br />
scanners tend to be larger and more expensive than single-finger<br />
fingerprint scanners. 29<br />
Robustness<br />
Fingerprint patterns are stable throughout one’s lifetime,<br />
and unique and easily analyzed and compared. Fingerprint<br />
systems are easy to use, in most cases requiring the<br />
user to simply touch a platen with his/her forefinger. In<br />
addition to being secure, most fingerprint systems are<br />
relatively inexpensive.<br />
Limitations<br />
Capable of high accuracy levels, fingerprint devices<br />
can suffer from usage errors when users are not properly<br />
trained in system usage and/or motivated to cooperate<br />
when placing their finger(s) on the reader. This<br />
is, of course, not limited to fingerprint systems and extends<br />
to all biometric technologies. Conditions must be<br />
right for accurate authentication; for example, wet or<br />
moist fingers, cuts on fingers, or dirt or grease can sometimes<br />
affect the authentication process. Additionally, as<br />
with other biometric methods where a platen must be<br />
touched, some people are uncomfortable with touching<br />
something that other people have touched repeatedly<br />
29 Portions from Slap Fingerprint Segmentation Evaluation 2004<br />
(SlapSeg04) Analysis Report (NISTIR 7209). Bradford Ulery, Austin Hicklin,<br />
Craig Watson, Michael Indovina, and Kayee Kwong. http://fingerprint.nist.gov/slapseg04/ir_7209.pdf<br />
Version 2 – Summer 2008
Section 3 18 Types of <strong>Biometric</strong> Technologies<br />
before them.<br />
Other concerns involve the aspects of occupational impact.<br />
The use of hands in constant contact with abrasives<br />
or chemicals may interfere with fingerprint readers.<br />
There are consistent reports of genetic influence in population<br />
segments regarding an impact on image quality,<br />
but good documentation on this “outlier” influence<br />
is hard to find.<br />
<strong>Application</strong>s<br />
Fingerprint biometrics have four main application areas:<br />
large-scale Automated Fingerprint Imaging Systems<br />
(AFIS) that are generally used by law enforcement,<br />
for fraud prevention in entitlement programs, physical<br />
access control (doors) and “logical” access to computer<br />
systems.<br />
Workstation access applications seem to be based almost<br />
exclusively around fingerprints, due to the relatively low<br />
cost, small size (easily integrated into keyboards, mice,<br />
and laptops) and ease of integration.<br />
Hand Geometry<br />
How the <strong>Technology</strong> Works<br />
Historically, hand geometry systems have dominated<br />
the access control and “time and attendance” market<br />
in terms of biometrics being used for these purposes.<br />
Hand geometry-based verification systems measure the<br />
layout of a person’s hand, including the fingers, joints,<br />
and knuckles. Some systems measure the geometry of<br />
Version 2 – Summer 2008
<strong>Biometric</strong> <strong>Technology</strong> <strong>Application</strong> <strong>Manual</strong> Section 3 19<br />
two fingers (see Finger Geometry).<br />
Hand geometry measures the two-dimensional physical<br />
characteristics of the user’s hand and fingers using an<br />
optical camera, mirrors, and light-emitting diodes (LEDs)<br />
to capture images of the back and sides of the hand. In<br />
measuring size and shape, a hand geometry system collects<br />
more than 90 dimensional measurements. In the<br />
measurement of the different features, a person places<br />
his/her hand flat on the reader’s surface, where pegs<br />
guide the fingers into position. Hand geometry systems<br />
require the user to squeeze his/her fingers against the<br />
pegs to confirm the hand is “living” rather than a prosthetic.<br />
Cameras capture images of the back and sides of<br />
the hand. Only the hand’s geometry is analyzed; prints of<br />
the palm and fingers are not taken.<br />
Variations<br />
Finger geometry systems work similarly to hand geometry<br />
systems, looking at the structure of one, two, or three<br />
fingers instead of the whole hand.<br />
Robustness<br />
A technology that has been used by-and-large for physical<br />
access control, hand geometry consistently performs<br />
well and is relatively easy to use. Accuracy can be high<br />
and the technology can accommodate a wide range of<br />
applications; it also integrates well into other systems<br />
and identification processes.<br />
Hand geometry is generally perceived as non-intrusive<br />
and non-threatening and lacks the law enforcement as-<br />
Version 2 – Summer 2008
Section 3 20 Types of <strong>Biometric</strong> Technologies<br />
sociation of fingerprint systems. It is considered relatively<br />
easy to use by the majority of the population, although<br />
some minimal training may be necessary to help<br />
the user learn how to align his/her hand accurately in the<br />
reader.<br />
Limitations<br />
While the shape and size of the human hand is reasonably<br />
diverse, hands are not necessarily highly distinctive.<br />
In larger populations, for example, it is almost certain<br />
that some people may share similar hand dimensions.<br />
It should be noted that current hand-geometry systems<br />
can operate only in the verification mode because of the<br />
limited variability in hand features. Also, the usual system/hardware<br />
design allows only the right hand to be<br />
enrolled (if the left hand is used, it is turned upside down,<br />
thereby creating enrollment problems and subsequent<br />
verification problems), although left-handed readers<br />
have been manufactured and deployed.<br />
Additionally, in some cultures people may be uncomfortable<br />
touching a device that many people have previously<br />
touched. While this phenomenon may be more attributable<br />
to the newness of biometrics than anything else—<br />
afterall, people still use door handles, operate vending<br />
machines, and exchange money—more insight can be<br />
gained on such user psychology issues as they pertain to<br />
biometrics in Section 7, Part 1: Societal Issues.<br />
<strong>Application</strong>s<br />
Hand geometry can be suitable for one-to-one applications<br />
where there are larger user databases and/or where<br />
Version 2 – Summer 2008
<strong>Biometric</strong> <strong>Technology</strong> <strong>Application</strong> <strong>Manual</strong> Section 3 21<br />
users may access the system infrequently and, therefore,<br />
be less disciplined in their approach to the system. As<br />
mentioned earlier, hand geometry systems are most<br />
commonly used in access control and/or time and attendance<br />
applications.<br />
Iris Recognition<br />
How the <strong>Technology</strong> Works<br />
Iris recognition technology is based on the patterns resident<br />
in the iris of the eye—the colored ring surrounding<br />
the pupil. Iris recognition technology identifies people<br />
by the unique patterns in the iris using a fairly conventional<br />
charge coupled device (CCD) camera. Made from<br />
elastic connective tissue, the iris represents a richly patterned<br />
surface under the reflective cornea of<br />
the eye. The image of the iris under infra-red illumination<br />
can be quantified and used to identify<br />
an individual. Approximately 2048 binary<br />
(0 or 1) features are captured in a “live” iris iden-<br />
tification application. Formed by the eighth<br />
month of gestation, iris characteristics reportedly<br />
remain stable throughout a person’s lifetime,<br />
except in cases of trauma or injury.<br />
30 Photo from Dr. John Daugman, Cambridge University, The Com-<br />
puter Laboratory.<br />
Version 2 – Summer 2008<br />
Figure 3-3 Iris<br />
image showing<br />
unique structure.<br />
30
Section 3 22 Types of <strong>Biometric</strong> Technologies<br />
Iris recognition systems use<br />
a CCD camera to capture a<br />
black-and-white, high-resolution<br />
image of the iris under<br />
infra-red illumination. They<br />
then define the boundaries<br />
of the iris, establish a coordinate<br />
system, and define the<br />
“zones for analysis.”<br />
All parts of the visible iris are<br />
processed into a reference<br />
(template) that is often referred to as an IrisCode ® . 31 The<br />
software locates and “eliminates” (does not encode) data<br />
from eyelashes, eyelids and other “non-iris” sources (e.g.,<br />
light reflections). Algorithms check for a specific pattern<br />
reflected on the eye and may use additional measurements<br />
to determine that the eye is living. The visible<br />
characteristics within the “zones of analysis” are converted<br />
into a 512-byte template that is used to identify the<br />
individual; 256 of these bytes are control code.<br />
Most physical access control applications require a person<br />
to stand within three to 10 inches of the camera and<br />
look directly into the lens, centering his/her eye based<br />
on a guidance light or illuminated pattern on a two-way<br />
mirror in front of the user. More interactive systems may<br />
“verbally” prompt or signal the user to adjust his/her distance<br />
for proper image capture. Some systems using<br />
desktop or hand-held cameras can operate at a distance<br />
of about 12 to 18 inches.<br />
31 IrisCode is a trademark of Iridian Technologies, Inc.<br />
32 Photo from Dr. John Daugman, Cambridge University, The Computer<br />
Laboratory.<br />
Figure 3-4 An iris image with an<br />
IrisCode ® . 32<br />
Version 2 – Summer 2008
<strong>Biometric</strong> <strong>Technology</strong> <strong>Application</strong> <strong>Manual</strong> Section 3 23<br />
Robustness<br />
It can take one to two seconds for an iris recognition system<br />
to identify a person’s iris pattern. A template iris pattern<br />
code (or IrisCode ® ) contains less than half of a kilobyte<br />
of data, resulting in a small “electronic footprint.” Up<br />
to one million records-per-second can be scanned using<br />
a standard personal computer.<br />
Iris-based systems have the lowest false match rates<br />
among all currently available biometric methods, and are<br />
the least intrusive technique of the eye-based biometrics.<br />
It is one of the few biometric systems, besides fingerprinting,<br />
that works well in “identification” (one-to-many<br />
comparison) mode. The technology also works well with<br />
eyeglasses and non-patterned contact lenses in place,<br />
as well as with a variety of ethnic groups, including hose<br />
persons with dark irises. The International Standard ISO<br />
19704-6 recommends that eyeglasses be removed for<br />
the enrollment process and hard contact lenses and patterned<br />
soft contact lenses should be removed. (Implicit<br />
for enrollment and recognition).<br />
Iris patterns are thought to be highly distinctive. Not<br />
even the patterns of one’s own irises are the same, and<br />
identical twins each have different iris patterns as well.<br />
Iris patterns are thought not to change over the course<br />
of one’s lifetime, but scientists responsible for the development<br />
of iris recognition software have recently stated<br />
that more research in the area is needed.<br />
Version 2 – Summer 2008
Section 3 24 Types of <strong>Biometric</strong> Technologies<br />
Limitations<br />
Ease of use can be an issue with some iris recognitionbased<br />
systems since the user must line-up his/her eye<br />
with the camera. In most cases, the current technology<br />
does not lend itself to surveillance applications or where<br />
users are moving quickly, as it requires the user to stop<br />
for a few seconds and look directly into the camera to<br />
be identified. However, “iris on the move” systems have<br />
been successful. Even blind persons, if the iris is intact<br />
and useful, can use an iris recognition system, but will<br />
need additional assistance or guidance to position their<br />
eyes appropriately.<br />
People who believe in iridology 33 think that the imaging<br />
of their irises will reveal their medical conditions and<br />
diseases, such as pregnancy, heart disease, diabetes,<br />
AIDS, or high blood pressure. No scientific study has established<br />
that iris recognition templates can provide information<br />
about a person’s health, and iridology has no<br />
known scientific support.<br />
<strong>Application</strong>s<br />
Some programs and applications include: Airline passenger<br />
screening, border security, facility access control,<br />
computer login, ATMs, inmate identification in correctional<br />
facilities, and grocery stores (for automated check<br />
out). The Charlotte-Douglas International Airport uses<br />
iris recognition for physical access of workers when en-<br />
33 Iridology is the study of the iris to determine health problems. Iridologists<br />
believe that changing patterns in the iris can reveal health conditions,<br />
although the practice cannot detect specific diseases.<br />
Version 2 – Summer 2008
<strong>Biometric</strong> <strong>Technology</strong> <strong>Application</strong> <strong>Manual</strong> Section 3 25<br />
tering non-public areas of the airport. During the Winter<br />
Olympics in Nagano, Japan, an iris recognition system<br />
controlled access to the rifles used in the biathlon. The<br />
United Arab Emirates has used an iris recognition biometric<br />
screening system for over two years to screen all<br />
arriving visa holders at their points of entry to detect previously<br />
deported persons. The United Nations has also<br />
successfully used the system in refugee control applications.<br />
Keystroke Analysis/Keystroke Dynamics<br />
How the <strong>Technology</strong> Works<br />
Keystroke dynamics, or analysis, is also referred to as typing<br />
rhythms. It is an automated method of analyzing the<br />
way a user types at a terminal or keyboard, examining dynamics<br />
such as speed, pressure, total time taken to type<br />
particular words, and the time elapsed between hitting<br />
certain keys. Specifically, keystroke analysis measures<br />
two distinct variables: “dwell time,” which is the amount<br />
of time a person holds down a particular key, and “flight<br />
time,” which is the amount of time it takes between keys.<br />
The technique works by monitoring the keyboard inputs<br />
at thousands of times per second in an attempt to identify<br />
the user by his/her habitual typing rhythm patterns.<br />
Keystroke verification techniques can be classified as either<br />
static or continuous. Static verification approaches<br />
analyze keystroke verification characteristics only at specific<br />
times, for example, during the login sequence. Static<br />
approaches provide more robust user verification than<br />
simple passwords but do not provide continuous security.<br />
They cannot, for instance, detect a substitution of<br />
the user after the initial verification. Continuous verifica-<br />
Version 2 – Summer 2008
Section 3 26 Types of <strong>Biometric</strong> Technologies<br />
tion monitors the user’s typing behavior throughout the<br />
course of the interaction.<br />
In comparison to other biometric technologies, keystroke<br />
dynamics is probably one of the easiest to implement<br />
and administer. This is primarily because the technology<br />
is completely software-based; there is no need to<br />
install any new hardware. All that is needed is the existing<br />
computer and keyboard.<br />
For enrollment, the individual must type a specific word<br />
or group of words. In most cases, the username and password<br />
of the individual is used. It is important that this<br />
same word or phrasing is used in both the enrollment<br />
and verification processes. Otherwise, the behavioral<br />
characteristic of typing will be significantly different, and<br />
as a result, there will be a mismatch between the enrollment<br />
template and verification measures.<br />
To create the enrollment template, the user must type<br />
his/her name and password about 15 times, and it is recommended<br />
that this process occur over a period of time<br />
rather than at a single point in time. This is because the<br />
inconsistent behavioral characteristics will be averaged.<br />
With keystroke dynamics, the individual must type without<br />
making any corrections, or the system will prompt<br />
the user to start completely over again.<br />
The distinctive behavioral characteristics that are measured<br />
by keystroke dynamics include:<br />
•<br />
•<br />
•<br />
Cumulative typing speed<br />
The time elapsed between consecutive keystrokes<br />
The time that each key is held down<br />
Version 2 – Summer 2008
<strong>Biometric</strong> <strong>Technology</strong> <strong>Application</strong> <strong>Manual</strong> Section 3 27<br />
•<br />
•<br />
The frequency of the individual in using other keys<br />
on the keyboard, such as the number pad or function<br />
keys<br />
The sequence utilized by the individual when attempting<br />
to type a capital letter (for example, does<br />
the user release the shift key or the letter key first?)<br />
These behavioral characteristics became statistical profiles,<br />
then the enrollment template and verification samples.<br />
These templates also store the actual username<br />
and password. The statistical profile scan can either be<br />
“global” or “local.” With a “global” profile, all of the typing<br />
behavioral characteristics can be combined, or with a “local”<br />
profile, the behavioral characteristics are measured<br />
for each keystroke.<br />
Robustness<br />
The extent of the statistical correlation needed to declare<br />
a match between the enrollment template and verification<br />
measures can be modified to accommodate the required<br />
security level. An application that requires a lower<br />
level of security will permit for diffrences in the typing<br />
behavior. However, an application that requires a higher<br />
level of security will not permit any differences in the typing<br />
behavior.<br />
Keystroke dynamics technology does not require any<br />
additional, specialized hardware to implement. It is also<br />
easily integrated with other existing authentication processes.<br />
And minimal training is required for an individual<br />
to use a keystroke dynamic-based system, as people are<br />
accustomed to typing in a username and password on a<br />
keyboard.<br />
Version 2 – Summer 2008
Section 3 28 Types of <strong>Biometric</strong> Technologies<br />
Templates generated by a keystroke recognition system<br />
are specific only to that username and password used<br />
to generate the template. Should the username and/or<br />
password be tampered with, the user needs only to select<br />
a new username and password to create a new set of<br />
enrollment templates and verification measures.<br />
The use of a primarily behavioral trait—keystrokes—<br />
which may have a smaller biological component than<br />
other biometrics, such as the iris—as a personal identifier<br />
has inherent limitations. When coupled with traditional<br />
biological biometric technologies, keystroke dynamics<br />
allows for a more robust authentication system than traditional<br />
password-based alternatives alone.<br />
Limitations<br />
The inherent limitations of keystroke dynamics as an authentication<br />
mechanism are attributed to the nature of<br />
the template “signature” and its relationship to the user—recognizing<br />
users based on habitual rhythm in their<br />
typing patterns uses dynamic performance features that<br />
depend on an act, and that rhythm is a function of the<br />
user and the environment.<br />
Keystroke dynamics-based systems possess the same<br />
flaws as username/password systems in that they do not<br />
ease the burden of having to remember multiple passwords,<br />
decrease the administrative costs of having to<br />
reset passwords, nor enhance convenience to the indi-<br />
Version 2 – Summer 2008
<strong>Biometric</strong> <strong>Technology</strong> <strong>Application</strong> <strong>Manual</strong> Section 3 29<br />
vidual using the system. Rather, keystroke dynamics enhances<br />
the security to an existing username/passwordbased<br />
system.<br />
Keystroke dynamics-based systems are only used in oneto-one<br />
verification applications and cannot be used in<br />
one-to-many identification applications due to the limitations<br />
in the matching accuracy.<br />
Additionally, keystroke dynamics has not been fully tested<br />
in wide-scale deployments. 34<br />
<strong>Application</strong>s<br />
One potentially useful application is computer access,<br />
where this biometric could be used to verify the computer<br />
user’s identity continuously. Dynamic or ongoing<br />
monitoring of the interaction of users while accessing<br />
highly restricted documents or executing tasks in environments<br />
where the user must be “alert” at all times (for<br />
example, air traffic control) is an ideal scenario for the<br />
application of a keystroke authentication system. Keystroke<br />
dynamics may be used to detect uncharacteristic<br />
typing rhythms such as those brought on by drowsiness,<br />
fatigue, etc., and alarm a third party.<br />
34 As of this writing.<br />
Version 2 – Summer 2008
Section 3 30 Types of <strong>Biometric</strong> Technologies<br />
Palmprint<br />
How the <strong>Technology</strong> Works<br />
The palmprint is made up of principal<br />
lines, wrinkles, and ridges. In the<br />
palmprint, some kinds of features<br />
could be considered “geometry” features<br />
(e.g., width, length, and area<br />
of palm), line features (e.g., principal<br />
lines, coarse wrinkles, and fine wrinkles)<br />
and point features (e.g., minutiae<br />
and delta points). Palmprint<br />
verification—to determine whether<br />
two palmprints are from the same<br />
palm—can use the physical features<br />
mentioned above to verify the identity<br />
of a live person.<br />
Palm biometrics is close to fingerprinting in that ridges,<br />
valleys, and other minutiae data are found on the palm<br />
as with finger images.<br />
There are two approaches to palmprint recognition. 35<br />
One approach transforms palmprint images into specific<br />
transformation domains, including Eigenpalm, Gabor<br />
filters, Fourier Transform, and wavelets. Another approach<br />
is to extract principal lines and creases from the<br />
palm. This approach, however, is often difficult because<br />
it is sometimes troublesome to extract the line structures<br />
35 According to Palmprint Recognition with PCA and ICA. Tee Connie.<br />
Multimedia University, Melaka, Malaysia.<br />
36 Image from Personal Verification using Palmprint and Hand Geometry<br />
<strong>Biometric</strong>. Kumar, Wong, Shen, and Jain. 2003.<br />
Figure 3-5<br />
Example of<br />
palmprint<br />
patterns. 36<br />
Version 2 – Summer 2008
<strong>Biometric</strong> <strong>Technology</strong> <strong>Application</strong> <strong>Manual</strong> Section 3 31<br />
that can discriminate one person from another. Creases<br />
and ridges of the palm often cross and overlap each other,<br />
which complicates the feature extraction task.<br />
Robustness<br />
Like fingerprints, palmprint patterns are stable throughout<br />
one’s lifetime, are unique, and cannot be forged or<br />
transferred. Unlike fingerprints, palmprints are claimed<br />
to be less likely to wear away due to excessive or occupational<br />
abuse, but there is no data to support that claim.<br />
Limitations<br />
Vulnerabilities and issues surrounding the use of palmprint<br />
technologies are much the same as those for fingerprint<br />
biometrics. Excessive dirt, grime, or oils on the<br />
skin can dirty the platen, potentially causing false reads<br />
or non-reads of users. Likewise, fingerprint and other<br />
biometrics that require a user to physically touch a reader,<br />
some users are hesitant to touch something that many<br />
people have touched before them.<br />
Additionally, some users may fail to touch all or enough<br />
of their palm onto the imaging platen, so an adequate<br />
reading can be taken.<br />
<strong>Application</strong>s<br />
Law enforcement’s interest in palmprints applications is<br />
prompted by the latent palmprints found at crime scenes,<br />
which can be just as useful as latent fingerprints for crime<br />
solving. States such as California, Connecticut, Virginia,<br />
and Wisconsin are among those adopting palmprint rec-<br />
Version 2 – Summer 2008
Section 3 32 Types of <strong>Biometric</strong> Technologies<br />
ognition in their law enforcement activities. The technology<br />
is also appropriate for the access control market.<br />
Additionally, adding palmprint recognition to fingerprint<br />
systems could help improve the identity verification provided<br />
by fingerprints in cases where fingerprint images<br />
cannot be properly acquired (e.g., due to dry skin). Similarly,<br />
palmprint biometrics could be symbiotic with hand<br />
geometry systems, providing a higher degree of accuracy<br />
in identification when the two technologies are combined<br />
into a single system.<br />
Retinal Scan<br />
How the <strong>Technology</strong> Works<br />
Research conducted in the 1930s suggested that the<br />
patterns of blood vessels in the back of the human eye<br />
were unique to each individual, making retinal scan one<br />
of the oldest known biometrics. Nevertheless, it should<br />
be noted at the onset that retinal scanning—despite its<br />
accuracy potential—has been and will continue to be<br />
a marginal biometric technology in public applications<br />
that require a high degree of user acceptance.<br />
Retinal blood vessel patterns are highly distinctive traits.<br />
Like iris patterns, every human eye has its own unique<br />
pattern of retinal blood vessels, including the eyes of<br />
identical twins.<br />
The retina is small, internal to the eye, and thus difficult<br />
to image - making image capture and analysis a more<br />
difficult challenge than other biometric traits. To use a<br />
retinal scanning system, the user must position his/her<br />
eye very close to the lens of the retina-scan device, look<br />
Version 2 – Summer 2008
<strong>Biometric</strong> <strong>Technology</strong> <strong>Application</strong> <strong>Manual</strong> Section 3 33<br />
directly into the lens at a small green light, and remain<br />
still while maintaining visual focus on the light. During<br />
this time, a light detector (not a laser or camera, as depicted<br />
in popular sci-fi movies) scans the retina illuminated<br />
using infrared light shown through the pupillary<br />
opening. Because of the close proximity requirements<br />
between the user’s eye and the reader, and the small diameter<br />
of the pupil, even the slightest movement can<br />
interfere with the identification process and force a retry.<br />
Although the identification process can take 10–15<br />
seconds once users are familiar with the system, enrollment<br />
can often take several minutes as users are learning<br />
how to interact with this technology. It is important<br />
to emphasize that the retinal scanning devices formerly<br />
commercially available did not image the retina, but<br />
only detected return light from the retina as the scanning<br />
illuminator swung in a circular pattern.<br />
Robustness<br />
The blood vessel pattern of the retina rarely changes over<br />
the lifetime of an individual, unless he/she is afflicted by<br />
a disease of the eye, such as glaucoma. Retinal scan devices<br />
are one of the most accurate biometrics available<br />
as the continuity of the retinal pattern throughout life<br />
and the difficulty of spoofing (fooling) such a system<br />
with a fake eye make it a potentially good long-term option<br />
for very high-security applications.<br />
Since the retina is located inside the eye, it is not exposed<br />
to the threats of the external environment, as are other<br />
biometrics like fingerprints and hands. There is no<br />
known way to replicate a retina and a retina from a dead<br />
Version 2 – Summer 2008
Section 3 34 Types of <strong>Biometric</strong> Technologies<br />
person would deteriorate too quickly to be useful.<br />
Limitations<br />
Most of the weaknesses, or vulnerabilities, of retinal recognition<br />
are primarily user-based issues. For example,<br />
the user-reader interface is not convenient for eyeglass<br />
wearers (glasses have to be removed first) nor for those<br />
who have concerns about close contact with the reader.<br />
For these reasons, retinal scanning experienced serious<br />
user acceptance problems in the 1980s and 1990s<br />
as friendlier biometrics came into mainstream use. The<br />
leading product, although no longer commercially available,<br />
underwent a redesign in the mid-90s to provide<br />
enhanced connectivity and an improved user interface.<br />
Despite such improvements, however, it remains a<br />
marginal biometric technology from a user-acceptance<br />
standpoint.<br />
Of all the biometric technologies, the motivation level<br />
of the user must be very high for the system to function<br />
properly. Users must interact correctly and patiently for<br />
the system to work.<br />
Although each pattern normally remains stable over a<br />
person’s lifetime, it can be affected by disease such as<br />
glaucoma, diabetes, high blood pressure, and autoimmune<br />
deficiency syndrome (AIDS), although no method<br />
for detecting these diseases from the circular retinal scan<br />
has been developed.<br />
Version 2 – Summer 2008
<strong>Biometric</strong> <strong>Technology</strong> <strong>Application</strong> <strong>Manual</strong> Section 3 35<br />
<strong>Application</strong>s<br />
Contrary to popular public misconceptions and reflective<br />
of what is seen in movies and read in novels, retinal scanning<br />
was used almost exclusively in high-end security<br />
applications, such as controlling access to military installations,<br />
nuclear facilities, and laboratories.<br />
One of the best-documented public applications for using<br />
retinal recognition was conducted in the U.S. by the<br />
state of Illinois in an effort to reduce welfare fraud. 37 The<br />
primary purpose was to identify welfare recipients, so<br />
that benefits could not be claimed more than once. The<br />
project was eventually terminated due to concerns that<br />
it was not easily usable by clients or staff.<br />
Skin Spectroscopy/Skin Texture/Skin<br />
Contact<br />
How the <strong>Technology</strong> Works<br />
Human skin is a complex organ made up of multiple layers,<br />
mixtures of chemicals, and distinct structures such as<br />
hair follicles, sweat glands, and capillary beds. Although<br />
every person has skin, each person’s skin is structurally<br />
unique. Skin layers vary in thickness, interfaces between<br />
skin layers have different undulations and other characteristics,<br />
collagen fibers and elastic fibers in the skin layers<br />
differ, and capillary bed density and location differ.<br />
Cell size and density within the skin layers, as well as the<br />
chemical makeup of these layers, also vary from person<br />
to person.<br />
37 An <strong>Application</strong> of <strong>Biometric</strong> <strong>Technology</strong>: Retinal Recognition. Series #3.<br />
Ravi Das, HTG Solutions.<br />
Version 2 – Summer 2008
Section 3 36 Types of <strong>Biometric</strong> Technologies<br />
The “skin spectroscopy” technology recognizes skin differences<br />
by their optical properties. A small patch of<br />
skin is illuminated by a sensor via multiple wavelengths<br />
(i.e., colors) of visible and near infrared right. The light<br />
is reflected back after being scattered in the skin and is<br />
then measured for each of the wavelengths. Reflectance<br />
variability of the various light frequencies as they pass<br />
through the skin are analyzed and processed to extract<br />
a characteristic optical pattern that is compared to the<br />
pattern on record or stored in the device to provide an<br />
identification/authentication.<br />
Because the optical signal is affected by changes to the<br />
chemistry and other properties of human skin, it also<br />
provides a sensitive and relatively easy way to confirm<br />
that a sample is living tissue. Non-human tissue or synthetic<br />
material has different optical properties than living<br />
human skin. Likewise, excised or amputated tissue<br />
undergoes rapid changes in biochemistry, temperature,<br />
and distribution of fluids within the various biological<br />
compartments that alter the light signals.<br />
A spectral biometric system consists of three major subsystems:<br />
the optical sensor, electronics to drive the sensor,<br />
and the algorithm and procedures used to derive<br />
biometric features from the raw spectral data. Other skin<br />
recognition systems use high-resolution cameras to capture<br />
images then the algorithms analyze the skin for features,<br />
such as wrinkles, pores, structure, texture, etc.<br />
Variations<br />
Skin spectroscopy is ideally suited to layering in dual biometric<br />
systems, helping to build ultra high-performance<br />
Version 2 – Summer 2008
<strong>Biometric</strong> <strong>Technology</strong> <strong>Application</strong> <strong>Manual</strong> Section 3 37<br />
systems that measure two or more independent biometric<br />
identifiers. Because skin spectroscopy-based systems<br />
require contact with skin, this makes fingerprint sensors<br />
and hand/finger geometry systems particularly compatible<br />
with this technology.<br />
Robustness<br />
Skin patterns, whether identified by algorithms via surface<br />
texture analysis or spectral analysis, are a physical<br />
trait that is thought to be distinguishable among all people,<br />
including identical twins.<br />
This technique may be highly resistant to “spoofing” attacks.<br />
Amputated and synthetic tissues generate different<br />
optical signals from living tissue, and it is significantly<br />
more difficult to produce a facsimile of a skin sample that<br />
would fool a variety of sensors. In addition to providing<br />
anti-spoofing for its own system, skin spectroscopy<br />
can be leveraged to provide anti-spoofing protection for<br />
other “contact” biometrics, such as fingerprint and hand<br />
geometry.<br />
Skin spectroscopy is unrestricted by physical, biological,<br />
cultural, or religious hurdles. It will work for individuals<br />
with any skin color and aging should not affect results.<br />
Limitations<br />
Obviously, skin recognition biometric technologies will<br />
not work if the user is wearing gloves or a mask that covers<br />
his/her skin. A reasonable proximity to the reader is<br />
also required, as identifications cannot be made from a<br />
Version 2 – Summer 2008
Section 3 38 Types of <strong>Biometric</strong> Technologies<br />
distance, although a certain level of “standoff” reading<br />
capability has been demonstrated.<br />
This type of system is best used for applications with<br />
moderate environmental conditions, since requiring users<br />
to remove gloves could slow down the access control<br />
process to unacceptable levels.<br />
<strong>Application</strong>s<br />
Some vendors’ sensors can operate on nearly any portion<br />
of the skin, making them ideal for integration into<br />
consumer products in ways that easily and conveniently<br />
ensure security. Initial designs show system sensors to<br />
be small, fast, and durable. Their low cost and low power<br />
consumption, and the algorithm’s processing efficiency<br />
and low memory requirements, make this technology<br />
promising for use in portable devices if it is perfected.<br />
Smartphones, PDAs, and other mobile-based products<br />
could provide general purpose authentication capability<br />
for applications ranging from e-commerce to physical<br />
security.<br />
Speaker Verification<br />
How the <strong>Technology</strong> Works<br />
Speaker verification has strong behavioral and biological<br />
components. The differences in how people’s voices<br />
actually sound can result from a combination of biological<br />
differences, such as the shape of the vocal tracts, and<br />
from individual speaking habits. Speaker verification<br />
Version 2 – Summer 2008
<strong>Biometric</strong> <strong>Technology</strong> <strong>Application</strong> <strong>Manual</strong> Section 3 39<br />
technology uses these differences to create a voice print<br />
template that can be used to verify the identity of a person<br />
by comparing the unique patterns generated as a result<br />
of these differences. Speaker verification is separate<br />
and distinct from “voice recognition,” which is the recognition<br />
of spoken words and typically used in automated<br />
telephone directory services and in dictation systems.<br />
Unlike speaker verification, voice recognition is not a biometric<br />
technology since it does not confirm individual<br />
identity.<br />
Speaker verification has traditionally focused on the<br />
sound of the voice that is generated by the resonance<br />
in the vocal tract. The length of the vocal tract and the<br />
shape of the mouth and nasal cavities affect the voice.<br />
Speaker verification is defined as “the automated process<br />
of identifying a specific individual’s voice.” Typically during<br />
enrollment, the speaker verification system will capture<br />
samples of a person’s voice by having him/her repeat<br />
a set of pre-determined words, sentences, or phrases into<br />
a microphone or telephone. As with other biometrics,<br />
an enrollment template is generated and stored for future<br />
comparisons. This template is often referred to as a<br />
“voice print.”<br />
Speaker verification systems can be of two types: textindependent<br />
or text-dependent. Text-dependent sysstems,<br />
during enrollment, capture samples of a person’s<br />
voice by having him/her repeat a set of pre-determined<br />
words, sentences, or phrases into a microphone or telephone.<br />
This technique enhances the verification (and in<br />
some limited use, recognition) but requires a cooperative<br />
and patient user.<br />
In text-independent recognition, however, the user does<br />
not have to say a pre-determined phrase nor cooper-<br />
Version 2 – Summer 2008
Section 3 40 Types of <strong>Biometric</strong> Technologies<br />
ate or even be aware of the recognition system. Consequently,<br />
text-independent recognition has been used<br />
when trying to identify or recognize a speaker from radio<br />
or telephone signals.<br />
Variations<br />
As mentioned above, in text-dependent recognition, the<br />
user is asked to repeat a pre-determined phrase or words.<br />
This technique enhances recognition, but requires a cooperative<br />
and patient user. In text-independent recognition,<br />
the user does not have to say a pre-determined<br />
phrase nor cooperate or even be aware of the recognition<br />
system. Consequently, the text-independent recognition<br />
is used when trying to identify the speaker from<br />
intercepted radio or telephone signals.<br />
Speaker verification primarily examines the sound of the<br />
voice and should be distinguished from speech recognition.<br />
Speech/voice recognition recognizes the words<br />
and phrases that are spoken rather than the voice itself.<br />
Robustness<br />
There are many advantages to using speaker verification.<br />
It provides eye-and hands-free operation, is reliable, flexible,<br />
and has a good data accuracy rate. Speaker verification<br />
technology continues to grow and improve.<br />
Speaker verification systems are easy to use and typically<br />
require no special training or equipment. For text-dependent<br />
systems, users simply repeat phrases through<br />
a microphone. Voice-based biometric systems are relatively<br />
inexpensive, compared to other biometrics since<br />
Version 2 – Summer 2008
<strong>Biometric</strong> <strong>Technology</strong> <strong>Application</strong> <strong>Manual</strong> Section 3 41<br />
they employ everyday microphones as “capture” devices.<br />
Consumers/users are used to being identified by their<br />
voices, so system acceptance and cooperation is typically<br />
high.<br />
Limitations<br />
Different people can have similar voices and a person’s<br />
voice can vary over time due to changes in health,<br />
emotional state, and age. Physical conditions of the voice,<br />
such as those due to sickness, can affect the speaker<br />
verification process, and since changes are likely to occur<br />
with age, waiting long periods between comparisons<br />
could affect long-term accuracy.<br />
In access control applications, speaker verification’s use is<br />
limited to one-to-one verification applications. Because<br />
of matching accuracy limitations of the technology and<br />
the variability of the individual pass phrases used for<br />
enrollment, speaker verification has historically been<br />
found to be suitable for one-to-many identification. Most<br />
speaker verification systems must be “trained”, requiring<br />
samples of the voice of the user of the system.<br />
Variation in telephone handsets or microphones and<br />
the quality of the communication connection in general<br />
can affect accuracy. Problems typically arise when<br />
an application faces the challenge of cross-channel<br />
enrollment, when a voice that may have been acquired<br />
over one device - for example, in a person using a highquality<br />
microphone - is to be detected through the use<br />
of a lower-quality connection, such as a cell phone.<br />
This common phenomenon can affect accuracy rates,<br />
especially when the user has high expectations and<br />
relatively little training. Speaker recognition models are<br />
Version 2 – Summer 2008
Section 3 42 Types of <strong>Biometric</strong> Technologies<br />
typically large, often on the order of 6Kb per speaker.<br />
<strong>Application</strong>s<br />
Text-dependent speaker verification systems have been<br />
used in logical access control applications and where remote<br />
identity verification is required. A major example<br />
of this is call center automation, where transaction processing<br />
is automated via telephone or computer. Popular<br />
uses include financial transactions (account access,<br />
funds transfer, bill payment, trading of financial instruments)<br />
and credit card processing (address changes, balance<br />
transfers, loss prevention).<br />
Speaker verification/recognition has also made an impact<br />
in the penal system where it is used to monitor<br />
and control inmate phone priviledges and identity verification<br />
of parolees, juvenile inmates, and those under<br />
house arrest.<br />
Although speaker verification technology has not<br />
been as widely adopted and utilized as other biometric<br />
technologies, there are indications that speaker<br />
verification could be adopted on a larger scale in the<br />
future for a number of reasons 38 .<br />
•<br />
•<br />
Telephone is the primary means by which consumers<br />
conduct financial transactions and access financial<br />
account information.<br />
Consumers know about the problem of identity<br />
theft.<br />
38 According to <strong>Biometric</strong> Media Weekly. October 6, 2004.<br />
Version 2 – Summer 2008
<strong>Biometric</strong> <strong>Technology</strong> <strong>Application</strong> <strong>Manual</strong> Section 3 43<br />
•<br />
•<br />
Many consumers feel that PINs and passwords are<br />
not secure enough.<br />
Consumers have a strong level of concern when<br />
communicating confidential information over the<br />
telephone.<br />
Because of these fears of identity theft and other forms of<br />
fraud, consumers might be more willing to participate in<br />
a speaker verification system.<br />
Vascular <strong>Biometric</strong>s<br />
How the <strong>Technology</strong> Works<br />
Vascular biometric systems, also called hand vascular<br />
pattern recognition systems, record subcutaneous infrared<br />
(IR) absorption patterns to produce distinctive identification<br />
templates for users. The technology could be<br />
likened to a vascular “barcode” reader. Veins and other<br />
subcutaneous features present large, robust, stable, and<br />
largely hidden patterns that can be conveniently imaged<br />
within the wrist, palm, and dorsal surfaces of the hand.<br />
In a typical hand-based vascular biometric, the hand<br />
is placed under an imager and an image of the back of<br />
the hand is taken. In the image, the main dorsal blood<br />
vessels have higher temperature compared to the surrounding<br />
tissue, so they appear brighter in the image.<br />
The system carefully selects the region of interest (ROI)<br />
of the hand and extracts the vein patterns. After “noise<br />
reduction,” the vein pattern is segmented from the background.<br />
Since the sizes of blood vessels grow as people<br />
grow, only the shape and distribution of the veins is taken<br />
into consideration. The vein pattern is skeletonized and<br />
Version 2 – Summer 2008
Section 3 44 Types of <strong>Biometric</strong> Technologies<br />
a shock graph representation is obtained for the pattern.<br />
A comparison of the shock graph with the ones stored in<br />
the database is carried out and a decision is made for the<br />
identification match/non-match.<br />
In a typical palm-based system the palm is illuminated<br />
with IR light. Hemoglobin in the veins absorbs the IR<br />
light, and the resulting image provides a clearly defined<br />
pattern, darker than the other portions of the hand. The<br />
person’s identity is confirmed if the extracted pattern<br />
matches with the pattern that was registered in the system<br />
during enrollment.<br />
Variations<br />
Vein pattern recognition devices consider the vein patterns<br />
in either the top of the hand or in the palm. There is<br />
also a vein pattern recognition system that uses the vein<br />
patterns in the finger.<br />
In the finger-based system, the user inserts his/her finger<br />
into the finger vein reader, which is typically a CCD<br />
camera inside a partially enclosed device. The device<br />
captures the finger vein pattern that is projected by near<br />
IR from LEDs. The high absorbance rate of the near IR<br />
wavelength of hemoglobin in the blood vessel enables<br />
finger vein patterns to be acquired. These “raw” images<br />
are, after being converted into certification format, sent<br />
to the image database to compare with the registered<br />
template, and a match/no match decision is made.<br />
Version 2 – Summer 2008
<strong>Biometric</strong> <strong>Technology</strong> <strong>Application</strong> <strong>Manual</strong> Section 3 45<br />
Robustness<br />
The human vascular structure is a distinctive feature of<br />
each individual. IR absorption patterns are easily compared<br />
using, like all biometrics, digital signal processing<br />
(DSP) techniques. Identical twins have distinct IR absorption<br />
patterns, as does everyone in the patterns of veins<br />
on one’s own right and left hands. Veins provide large,<br />
robust and hidden biometric features that are not easily<br />
observed, damaged, obscured, or changed. Veins<br />
are useable in rough environments where more delicate<br />
biometrics such as fingerprints would be damaged.<br />
Veins are hard to disguise or alter. The use of vascular<br />
biometrics avoids privacy concerns and criminal stigma<br />
of fingerprints. Vein patterns in the hand are claimed to<br />
be stable over one’s lifetime, barring trauma or surgery<br />
that would otherwise alter them.<br />
Limitations<br />
Obviously, gloved, covered, or extremely dirty hands<br />
cannot be, or cannot easily be, identified using a hand<br />
vein pattern recognition system. These systems are two<br />
to three times more expensive than fingerprint systems<br />
and are historically considered an esoteric biometric<br />
without definitive documentation of its reliability and accuracy<br />
available in the public domain. Drugs, exercise,<br />
mental health and medical conditions all impact imaging<br />
and accuracy of comparisons. Also, current vein pattern<br />
recognition systems use cameras that are not portableor<br />
certainly less portable-than other technologies.<br />
<strong>Application</strong>s<br />
While vascular biometrics has not historically been a<br />
Version 2 – Summer 2008
Section 3 46 Types of <strong>Biometric</strong> Technologies<br />
mainstream modality, and indeed as recently as 2003<br />
was categorized as “esoteric”, in the early or experimental<br />
stage (Woodward, Orlans, Higgins, <strong>Biometric</strong>s, Identity<br />
Assurance in the Information Age), some progress has<br />
been made recently to document its efficacy which may<br />
move it toward greater acceptance and proliferation.<br />
The potential for high accuracy in vascular biometrics<br />
has always been present and on occasion demonstrated<br />
in practical applications such as Retinal Scanning. Although<br />
Retinal Scanning continues to be categorized<br />
as an “eye-biometric”, the technology is in fact, based on<br />
matching live vascular patterns in the retina with previously<br />
enrolled patterns in a database.<br />
Early uses of vascular biometrics were in low to medium<br />
security applications, such as time and attendance<br />
(to prevent “buddy punching”), allowance and payment<br />
control, login and information protection, and safe deposit<br />
box access. These have been supplemented more<br />
recently by higher security applications including a nuclear<br />
power facility, a high-risk biohazard lab, universities,<br />
and casinos. The largest seaport facility in Canada<br />
is currently using vascular biometics for credentialing<br />
employees and controlling access. In this application, to<br />
allay privacy concerns, the biometric data is on a smart<br />
card in the possession of the individual rather in a centralized<br />
Port Authority database. According to Hitachi,<br />
about 85% of Japan’s ATMs are using vascular biometrics<br />
to prevent loss 39 .<br />
39 Security Management, January, 2008, Technofile, “Vein Rec-<br />
ognition Use Grows”, John Wagely.<br />
Version 2 – Summer 2008
COMPARISON OF BIOMETRIC TECHNOLOGIES – MATRIX I<br />
Type Measures Robustness Limitations Template Size <strong>Application</strong>s<br />
500 – 1000 bytes • Well suited for<br />
applications where<br />
signatures are accepted<br />
identifiers<br />
Signature size is limited<br />
Users are unaccustomed to<br />
signing tablets<br />
Has limited applications<br />
Signatures change over time<br />
Enrollment and verification<br />
conditions must be in same<br />
type of environment<br />
Low accuracy<br />
•<br />
•<br />
Virtually no privacy rights issues<br />
High user acceptance since it<br />
is similar to existing pen-based<br />
signature method<br />
Resistant to imposters<br />
Leverages existing processes<br />
Perceived as non-invasive<br />
Users can change signatures<br />
•<br />
•<br />
How a user<br />
signs his/her<br />
name<br />
Dynamic<br />
Signature<br />
Analysis<br />
•<br />
•<br />
•<br />
•<br />
•<br />
•<br />
•<br />
•<br />
84 bytes – 3.5K • Use in some passport<br />
and visa application<br />
systems<br />
• Use in some access<br />
control systems<br />
The PIEC problem degrades<br />
performance<br />
Easily circumvented by<br />
disguise & cosmetics<br />
Cannot distinguish between<br />
identical twins<br />
Niche market for network<br />
authentication<br />
•<br />
Can leverage existing databases,<br />
including static driver’s license<br />
photos<br />
Can capture images from a distance<br />
Affordable hardware<br />
Perceived as less intrusive than other<br />
technologies<br />
Moderate accuracy<br />
•<br />
Facial<br />
features/<br />
patterns<br />
Facial<br />
Imaging<br />
•<br />
•<br />
•<br />
•<br />
•<br />
•<br />
•
COMPARISON OF BIOMETRIC TECHNOLOGIES – MATRIX I<br />
Type Measures Robustness Limitations Template Size <strong>Application</strong>s<br />
256 bytes – 2Kb • In-house systems where<br />
users can be trained<br />
appropriately, in a<br />
controlled environment<br />
•<br />
Workstation access<br />
Has “common criminal” stigma<br />
Skin dryness, dirt, cuts, and<br />
user’s age can cause ID errors<br />
Liveness detection can be a<br />
problem<br />
Fingerprint impression often<br />
left on the sensor<br />
Certain occupations or<br />
activities can temporarily or<br />
permanently cause loss of<br />
fingerprint definition which<br />
impairs operation<br />
•<br />
•<br />
Unique even among twins<br />
Stable throughout one’s lifetime<br />
(subject to the caveats in the<br />
Limitations column)<br />
High to moderate accuracy<br />
Mature and proven core technology<br />
<strong>Technology</strong> is relatively inexpensive<br />
Can be deployed in a range of<br />
environments<br />
Employs ergonomic, easy-to-use<br />
devices<br />
•<br />
•<br />
Fingerprint<br />
patterns<br />
Fingerprints<br />
•<br />
•<br />
•<br />
•<br />
•<br />
•<br />
•<br />
•
COMPARISON OF BIOMETRIC TECHNOLOGIES – MATRIX I<br />
Type Measures Robustness Limitations Template Size <strong>Application</strong>s<br />
9 bytes • Time and attendance<br />
recording<br />
•<br />
Access control<br />
Hand injury and user’s age<br />
can effect errors<br />
Limitations in hand dexterity<br />
can lead to errors or non-use<br />
Limited accuracy because of<br />
the “simple” features<br />
Features can change over<br />
life-span<br />
Hand geometry hardware has<br />
large footprint, and cannot be<br />
used in embedded systems<br />
Currently only operates in the<br />
verification mode<br />
Some users may be<br />
uncomfortable touching a<br />
device that many people have<br />
previously touched<br />
•<br />
Moderate accuracy<br />
Offers good balance of performance<br />
characteristics<br />
Relatively easy to use<br />
Perceived by most as non-intrusive<br />
and non-threatening<br />
•<br />
•<br />
Hand shape/<br />
size<br />
Hand<br />
Geometry<br />
•<br />
•<br />
•<br />
•<br />
•<br />
•<br />
•<br />
•
COMPARISON OF BIOMETRIC TECHNOLOGIES – MATRIX I<br />
Type Measures Robustness Limitations Template Size <strong>Application</strong>s<br />
Iris<br />
Iris patterns • High accuracy<br />
• Some users won’t accept eye- 256 – 512 bytes • High security<br />
Recognition<br />
• Uses conventional camera-based based technology<br />
applications<br />
reader<br />
• High cost capture devices<br />
• Suitable for very large<br />
• Works well through eyeglasses and • Has not been shown to<br />
databases<br />
contacts, even colored ones<br />
be suitable for covert<br />
• 1 to N searches without<br />
• One of the few biometrics that<br />
surveillance<br />
PIN or P/W<br />
works well in “identification” (one to • Erroneously confused with<br />
• Watch lists,<br />
many) mode<br />
iridology<br />
• Benefits entitlements,<br />
• Capable of handling very large<br />
• Duplicate driver’s<br />
databases<br />
license detection<br />
• Distinguishes Monozygotic<br />
(identical) twins<br />
• High speed, 1 million comparisons<br />
persecond<br />
• Highly distinctive biometric feature<br />
Keystroke Typing • Adjustable matching threshold • Not unique to each individual 84 – 2K bytes • Computer and/or<br />
Analysis pattern • No adjustable or specialized • Large variations in a person’s<br />
workstation security<br />
hardware required<br />
typing patterns<br />
• Combines password generation and • Some people do not know<br />
enrollment into one simple function how to type<br />
• Low accuracy<br />
• Predominantly a behavioral<br />
biometric
COMPARISON OF BIOMETRIC TECHNOLOGIES – MATRIX I<br />
Type Measures Robustness Limitations Template Size <strong>Application</strong>s<br />
Data not available<br />
Low user acceptance because<br />
of criminal stigma<br />
Touching what others may<br />
have<br />
Platen must be clean<br />
Bulky sensor hardware<br />
•<br />
Features unique and stable through<br />
life<br />
Potentially more features than<br />
fingerprints<br />
Features more numerous and<br />
unique than Hand Geometry<br />
•<br />
Palmprints Palmprint<br />
patterns<br />
•<br />
•<br />
•<br />
•<br />
•<br />
96 bytes • High security<br />
applications, i.e., military<br />
Difficult to use (proximity,<br />
focus, no glasses)<br />
Users not comfortable with<br />
technology<br />
Affected by glaucoma,<br />
diabetes, hypertension,<br />
pregnanancy, and AIDS<br />
Limited commercial<br />
availability<br />
Not suitable for covert<br />
applications<br />
•<br />
High accuracy<br />
Very unique biometric feature,<br />
stability over lifetime, difficulty<br />
of spoofing, and protection from<br />
environment<br />
•<br />
•<br />
•<br />
Retinal Scan Retina<br />
blood vessel<br />
patterns<br />
•<br />
•<br />
•
COMPARISON OF BIOMETRIC TECHNOLOGIES – MATRIX I<br />
Type Measures Robustness Limitations Template Size <strong>Application</strong>s<br />
Identity verification<br />
to physical areas,<br />
computer networks,<br />
ATMs, and consumer<br />
products<br />
Passenger/traveler<br />
identification<br />
Military installation<br />
access<br />
Handgun safety<br />
Keyless auto/truck<br />
entry; keyless ignition<br />
•<br />
Immature, untested<br />
technology<br />
Requires more development<br />
and testing<br />
•<br />
Data not available<br />
•<br />
Works on nearly any skin site<br />
Convenient to use<br />
Small footprint and low power<br />
requirements; good for use in small<br />
electronic devices<br />
Anti-spoofing protection<br />
•<br />
•<br />
•<br />
Skin<br />
physiology<br />
or structure<br />
Skin<br />
Contact<br />
•<br />
•<br />
•<br />
•<br />
•
COMPARISON OF BIOMETRIC TECHNOLOGIES – MATRIX I<br />
Type Measures Robustness Limitations Template Size <strong>Application</strong>s<br />
Niche, low to medium<br />
security<br />
Inmate identification<br />
in correctional facility<br />
telephone control<br />
applications<br />
House arrest<br />
applications<br />
911 applications<br />
•<br />
<strong>Biometric</strong> component not<br />
distinctive and vary with head<br />
cold, sore throat, weather,<br />
emotional state and age<br />
Ambient noise interferes with<br />
process<br />
Quality variations in<br />
telephones, microphones &<br />
connections affect accuracy<br />
Cross-channel enrollment &<br />
verification affect accuracy<br />
Not suitable for 1:N<br />
identification<br />
Potentially more susceptible<br />
to replay attacks than other<br />
biometrics<br />
System requires extensive<br />
“training” with each<br />
enrollment<br />
Large templates reduce<br />
enrollment capacity<br />
•<br />
•<br />
Eye & hands free operation<br />
Leverages telephone infrastructure<br />
Flexibility makes it suitable for many<br />
applications<br />
Requires no special user training or<br />
equipment<br />
Layers with verbal passwords & PINs<br />
•<br />
•<br />
•<br />
Speaker<br />
Verification<br />
6Kb-80Kb<br />
•<br />
•<br />
•<br />
•<br />
•<br />
•<br />
•<br />
•<br />
•<br />
•<br />
•
COMPARISON OF BIOMETRIC TECHNOLOGIES – MATRIX I<br />
Type Measures Robustness Limitations Template Size <strong>Application</strong>s<br />
Data not available • Niche, low to medium<br />
security<br />
• Inmate identification<br />
in correctional facility<br />
telephone control<br />
applications<br />
• House arrest<br />
applications<br />
• 911 applications<br />
More expensive than<br />
fingerprint<br />
Accuracy affected by drugs,<br />
exercise and health<br />
Limited documentation on<br />
reliability and accuracy<br />
Testing so far limited to 1:1<br />
applications<br />
Users must remove gloves<br />
•<br />
Vascular structure is distinctive<br />
feature<br />
Veins are large, robust, stable and<br />
hidden<br />
Vein patterns easily compared at<br />
high speed<br />
Veins not easily observed, damaged,<br />
obscured or changed<br />
•<br />
Vein<br />
patterns in<br />
palm, top of<br />
hand, and<br />
finger (s)<br />
Vascular<br />
<strong>Biometric</strong>s<br />
•<br />
•<br />
•<br />
•<br />
•<br />
•<br />
•<br />
Data not available • Healthcare applications<br />
involving organ donors<br />
or transplants<br />
Other--DNA DNA • Cannot distinguish between<br />
identical twins<br />
• Highly intrusive; requires<br />
physical sample<br />
• Takes days for “comparison”<br />
results<br />
• Easy to steal someone else’s<br />
DNA (hair strand)
COMPARISON OF BIOMETRIC TECHNOLOGIES – MATRIX I<br />
Type Measures Robustness Limitations Template Size <strong>Application</strong>s<br />
Data not available • No known applications<br />
Low accuracy<br />
Difficult human interface<br />
No operational systems<br />
•<br />
•<br />
•<br />
Shape and<br />
contours of<br />
the outer<br />
ear<br />
Other<br />
Shape--Ear<br />
Data not available • Accuracy has not been<br />
established<br />
• If established, could<br />
be useable for covert<br />
surveillance & detection<br />
Other--Gait • Low accuracy<br />
Ineffective with crutched or<br />
wheelchair bound people<br />
Subject to behavioral<br />
manipulation<br />
•<br />
•
COMPARISON OF BIOMETRIC TECHNOLOGIES 40 – MATRIX II<br />
Applicable Published Standards Limitations<br />
Long-term<br />
Stability<br />
Public<br />
Acceptance<br />
Type Universality Accuracy Ease of<br />
Use<br />
Illiteracy<br />
Variability of<br />
signature<br />
Common neuromuscular<br />
diseases<br />
Low Low High Very High Medium INCITS 395-2005<br />
INCITS 358-2002 BioAPI<br />
INCITS 398-2005 CBEFF<br />
ISO/IEC 7816-11:2004 W/IC cards<br />
NIST SP 800-73 W/FIPS 201 Smart Cards<br />
NISTIR 6529-A CBEFF<br />
Dynamic<br />
Signature<br />
Analysis<br />
Lighting, aging,<br />
glasses, facial hair<br />
disguise, makeup<br />
Low Low Medium Medium Medium INCITS 385-2004<br />
INCITS 358-2002 Bio API<br />
INCITS 398-2005 CBEFF<br />
ISO/IEC 7816-11:2004 W/IC cards<br />
NIST SP 800-73 W/FIPS 201 Smart Cards<br />
NISTIR 6529-A CBEFF<br />
Facial<br />
Imaging<br />
40 <strong>Biometric</strong> Identification. Simo Huopio. Helsinki University of <strong>Technology</strong>. November 1998; NBSP expert opinion and NBSP standards data-<br />
base. 2005.
COMPARISON OF BIOMETRIC TECHNOLOGIES40 – MATRIX II<br />
Type Universality Accuracy Ease of Public Long-term Applicable Published Standards Limitations<br />
Use Acceptance Stability<br />
Dry, dirty, damaged<br />
finger images<br />
High High High High High ANSI/NIST ITL 1-2000<br />
CJIS /FBI IAFIS-IC-0110<br />
CJIS-RS-0010 (v) 7<br />
INCITS 377-2004<br />
INCITS 378-2004<br />
INCITS 381-2004<br />
ILO SID-002<br />
INCITS 358-2002 Bio API<br />
INCITS 398-2005 CBEFF<br />
ISO/IEC 7816-11:2004 W/IC cards<br />
NIST SP 800-73 W/FIPS 201 Smart<br />
Cards<br />
NISTIR 6529-A CBEFF<br />
Fingerprints
COMPARISON OF BIOMETRIC TECHNOLOGIES40 – MATRIX II<br />
Type Universality Accuracy Ease of Public Long-term Applicable Published Standards Limitations<br />
Use Acceptance Stability<br />
Hand<br />
Diseases such as<br />
Geometry<br />
arthritis, rheumatism,<br />
Dupytrens<br />
Contracture<br />
Medium Medium High High Medium INCITS 396-2005<br />
INCITS 358-2002 Bio API<br />
INCITS 398-2005 CBEFF<br />
ISO/IEC 7816-11:2004 W/IC cards<br />
NIST SP 800-73 W/FIPS 201 Smart<br />
Cards<br />
NISTIR 6529-A CBEFF<br />
Rare disease such as<br />
Iritis<br />
Reflections<br />
High Very High High Medium High INCITS 379-2004<br />
INCITS 358-2002 Bio API<br />
INCITS 398-2005 CBEFF<br />
ISO/IEC 7816-11:2004 W/IC cards<br />
NIST SP 800-73 W/FIPS 201 Smart<br />
Cards<br />
NISTIR 6529-A CBEFF<br />
Iris<br />
Recognition<br />
Inability to type<br />
Low Low High Unknown Unknown INCITS 358-2002 Bio API<br />
INCITS 398-2005 CBEFF<br />
ISO/IEC 7816-11:2004 W/IC cards<br />
NIST SP 800-73 W/FIPS 201 Smart<br />
Cards<br />
NISTIR 6529-A CBEFF<br />
Keystroke<br />
Analysis
COMPARISON OF BIOMETRIC TECHNOLOGIES40 – MATRIX II<br />
Type Universality Accuracy Ease of Public Long-term Applicable Published Standards Limitations<br />
Use Acceptance Stability<br />
High Unknown Unknown INCITS 358-2002 Bio API<br />
Diseases such as<br />
INCITS 398-2005 CBEFF<br />
arthritis, rheumatism,<br />
ISO/IEC 7816-11:2004 W/IC cards Dupytrens<br />
NIST SP 800-73 W/FIPS 201 Smart Cards Contracture<br />
NISTIR 6529-A CBEFF<br />
Palmprints Medium/High Medium/<br />
High<br />
Diseases of the eye<br />
such as retinitis<br />
Glasses<br />
Diabetes<br />
Pregnancy<br />
Hypertension<br />
Retinal Scan Very High High Low Low High INCITS 358-2002 Bio API<br />
INCITS 398-2005 CBEFF<br />
ISO/IEC 7816-11:2004 W/IC cards<br />
NIST SP 800-73 W/FIPS 201 Smart Cards<br />
NISTIR 6529-A CBEFF<br />
Unknown<br />
High Unknown Unknown Unknown Unknown INCITS 358-2002 Bio API<br />
INCITS 398-2005 CBEFF<br />
ISO/IEC 7816-11:2004 W/IC cards<br />
NIST SP 800-73 W/FIPS 201 Smart Cards<br />
NISTIR 6529-A CBEFF<br />
Skin<br />
Contact<br />
Background noise;<br />
colds and other<br />
factors<br />
Low Low High High Medium SVAPI<br />
INCITS 358-2002 Bio API<br />
INCITS 398-2005 CBEFF<br />
ISO/IEC 7816-11:2004 W/IC cards<br />
NIST SP 800-73 W/FIPS 201 Smart<br />
Cards<br />
NISTIR 6529-A CBEFF<br />
Speaker<br />
Verification
COMPARISON OF BIOMETRIC TECHNOLOGIES40 – MATRIX II<br />
Type Universality Accuracy Ease of Public Long-term Applicable Published Standards Limitations<br />
Use Acceptance Stability<br />
Vascular Medium/High Medium Medium/ High High INCITS 69-2002 BioAPI<br />
Affected by drugs,<br />
<strong>Biometric</strong>s<br />
High<br />
INCITS 398-2005 CBEFF<br />
health<br />
ISO/IEC 7816-11:2004 W/IC cards Limited<br />
NIST SP 800-73 W/FIPS 201 Smart documentation<br />
Cards<br />
on reliability and<br />
NISTIR 6529-A CBEFF<br />
accuracy<br />
ISO 19794-9 Vascular Image<br />
Testing limited to 1:1<br />
applications<br />
Users must remove<br />
glasses<br />
Need for real time<br />
matching<br />
High High Low High Very high INCITS 358-2002 Bio API<br />
INCITS 398-2005 CBEFF<br />
ISO/IEC 7816-11:2004 W/IC cards<br />
NIST SP 800-73 W/FIPS 201 Smart Cards<br />
NISTIR 6529-A CBEFF<br />
Other<br />
– DNA<br />
Unknown<br />
High Unknown Medium Unknown Unknown INCITS 358-2002 Bio API<br />
INCITS 398-2005 CBEFF<br />
ISO/IEC 7816-11:2004 W/IC cards<br />
NIST SP 800-73 W/FIPS 201 Smart Cards<br />
NISTIR 6529-A CBEFF<br />
Other – Ear<br />
Shape
COMPARISON OF BIOMETRIC TECHNOLOGIES39 – MATRIX II<br />
Type Universality Accuracy Ease of Public Long-term Applicable Published Standards Limitations<br />
Use Acceptance Stability<br />
Other--Gait Medium Unknown High Unknown Low IINCITS 358-2002 BioAPI<br />
Unknown<br />
INCITS 398-2005 CBEFF ISO/IEC<br />
7816-11:2004 W/IC cards<br />
NIST SP 800-73 W/FIPS 201 Smart<br />
Cards<br />
NISTIR 6529-A CBEFF
Section 3 62 Types of <strong>Biometric</strong> Technologies<br />
Other <strong>Biometric</strong> Technologies<br />
Body Odor<br />
Most living things emit an odor that is characteristic of its<br />
chemical composition. In most cases, this odor might be<br />
usable for distinguishing between them.<br />
In a body odor biometric system, sensors capture body<br />
odor from non-intrusive parts of the body, such as the<br />
back of the hand. Each unique human smell consists of<br />
different amounts of volatiles or aromatic compounds.<br />
Body odor is largely produced by bacteria on the skin<br />
and pheromones, the chemical that is produced to signal<br />
to others of the same species. These volatiles are<br />
extracted by the system and converted into a biometric<br />
template. Body odor can be digitally recorded for identification.<br />
These odors are present even though they may<br />
not be detectable by the untrained nose and cannot be<br />
entirely obscured by deodorant or washing.<br />
Most body odor-based systems depend on having users<br />
holding the palm of their hand against a sensor that can<br />
recognize unique scents that have been broken down<br />
into a complex algorithm. Once a person’s body odor<br />
has been registered, it can be entered on a card, such as<br />
a credit card or identity card, or on a document, such as<br />
a passport, just like any other biometric feature. The U.S.<br />
Government (DARPA) is currently 41 funding a multi-year<br />
classified study on this technology.<br />
41 As of this writing.<br />
Version 2 – Summer 2008
<strong>Biometric</strong> <strong>Technology</strong> <strong>Application</strong> <strong>Manual</strong> Section 3 63<br />
Body Salinity (Salt)<br />
This developmental system works by exploiting the natural<br />
level of salinity, or salt, in the human body. This is<br />
accomplished by using an electric field and salt’s natural<br />
conductivity to measure a tiny electrical current that<br />
is passed through the body. The electrical current that<br />
is used is approximately one-billionth of an amp (nanoamp),<br />
which is less than the natural currents already present<br />
in the body. Speeds equivalent to a 2400-baud modem<br />
have been claimed, yielding a data transfer rate of<br />
up to 400,000 bits per second.<br />
<strong>Application</strong>s for this kind of biometric technology could<br />
include the interaction (data transfer) between communication<br />
devices carried on the body, such as watches,<br />
mobile phones, and pagers. Also, applications could include<br />
“waking up” household appliances/devices as one<br />
enters a room.<br />
DNA<br />
Deoxyribonucleic Acid (DNA) is the one-dimensional ultimate<br />
unique code for a person’s identity with the exception<br />
of identical sibling sets (twins/triplets), which have<br />
identical DNA patterns. DNA is currently used mostly in<br />
forensics applications for identifying people.<br />
DNA is not readily considered to be a biometric identifier,<br />
although the process certainly positively identifies people<br />
based on a biological characteristic. Although DNA is<br />
an accurate identifier, it differs from what are considered<br />
“standard” biometric features in several ways, including:<br />
Version 2 – Summer 2008
Section 3 64 Types of <strong>Biometric</strong> Technologies<br />
•<br />
•<br />
•<br />
DNA requires a physical sample (e.g. a strand of hair)<br />
instead of an impression, image, or recording of the<br />
biometric feature.<br />
DNA testing cannot, currently, be done in practical<br />
real-time.<br />
DNA requires the user to provide another cell sample<br />
every time he/she wishes to be identified.<br />
In addition to the differences above, there are three key<br />
issues 42 that limit the day-to-day utility of using DNA as a<br />
biometric for “general” (non-forensic) applications.<br />
1.<br />
2.<br />
3.<br />
Contamination and sensitivity: It is easy to steal a<br />
piece of DNA (hair strand, dead skin flake) from an<br />
unsuspecting subject that can subsequently be used<br />
for false purpose.<br />
Automatic, real-time recognition issues: As mentioned<br />
above, the present technology for DNA comparison<br />
requires complicated and exacting chemical<br />
methods that require specific expertise; DNA testing<br />
and reading is not designed for automated, non-invasive<br />
recognition.<br />
Privacy issues: Information about a person’s proclivity<br />
to certain diseases, or whether a person currently<br />
suffers from a disease or condition, could be ascertained<br />
from the DNA data, resulting in concern that<br />
abuse, whether intended or accidental, of genetic<br />
42 An Introduction to <strong>Biometric</strong> Recognition. Jain, Ross, and<br />
Prabhakar. IEEE Transactions on Circuits and Systems for Video<br />
<strong>Technology</strong>. January 2004 IEEE. Used with permission..<br />
Version 2 – Summer 2008
<strong>Biometric</strong> <strong>Technology</strong> <strong>Application</strong> <strong>Manual</strong> Section 3 65<br />
code information could become public and/or result in<br />
discrimination.<br />
Ear Shape<br />
Some biometricians believe the shape of the ear and<br />
the structure of the cartilaginous tissue of the pinna<br />
area (outer area of the ear) to be distinctive, and that the<br />
structure of the ear does not change significantly over<br />
time. Medical literature reports that ear growth after the<br />
first four months of age is highly linear or proportional.<br />
Ear shape biometrics research is currently based on law<br />
enforcement needs to collect ear markings and shape information<br />
from crime scenes. The technology has some<br />
potential in limited access control applications, in similar<br />
use as hand geometry. Currently there are limited research<br />
activities underway with ear shape biometrics.<br />
Identification by ear shape is passive, like facial recognition,<br />
but instead of using the difficult-to-extract face geometry,<br />
ear shape biometrics use the ear features more<br />
like fingerprinting. The external structure of the ear contains<br />
the following regions of interest that can be used<br />
for biometric measurement: Helix rim, lobule, antihelix,<br />
concha, tragus, antitragus, crus of helix, triangular fossa,<br />
and incisure intertragica.<br />
Ear recognition technology is based on comparing the<br />
distance of salient points on the pinna from a “landmark”<br />
location on the ear. A machine vision-based method of<br />
ear identification has been developed that localizes and<br />
segments a subject’s ear via a grayscale CCD camera-acquired<br />
image using contours. Once segmented, the features<br />
are computed and the difference between the<br />
Version 2 – Summer 2008
Section 3 66 Types of <strong>Biometric</strong> Technologies<br />
enrollment biometric template is computed and compared<br />
with the live (presented) biometric and a match or<br />
no-match decision is made.<br />
One of the primary arguments against ear shape<br />
biometrics is that ears are often hidden or covered by<br />
hair or hats, rendering them unusable. In selected populations,<br />
however, such as the military where hair is kept<br />
short and above the ears, this technique could be applicable<br />
and useful when supplementing other automated<br />
methods.<br />
Figure 3-6 Rendering of the structure of the external ear. 43<br />
Facial Thermography<br />
Facial thermography refers to the pattern of heat in the<br />
face caused by the flow of blood under the skin. IR cameras<br />
capture this heat to produce a thermal pettern. Because<br />
the vein patterns in a person’s face are distinctive,<br />
the IR thermal pattern they produce is also distinctive to<br />
each person. The process is based on the principle that,<br />
while the underlying vein and tissue structure is stable,<br />
43 Reprinted from Gray’s Anatomy, 39th Edition 2005 Elsevier<br />
Ltd, with permission from Elsevier.<br />
Version 2 – Summer 2008
<strong>Biometric</strong> <strong>Technology</strong> <strong>Application</strong> <strong>Manual</strong> Section 3 67<br />
the dynamic nature of blood flow causes fluctuations and<br />
the appearance/disappearance of secondary patterns.<br />
Environmental conditions such as ambient temperature<br />
and the introduction of alcohol or drugs, for example,<br />
can alter the thermal signature of the face.<br />
This technology is better suited to determine “liveness” of<br />
the subject - no thermal image indicates no life - than for<br />
actual identification of the individual. Facial thermography,<br />
used in conjunction with other biometric technologies,<br />
could indicate a rested or fatigued person or determine<br />
physical condition, such as indications of alcohol<br />
use, although this has never been demonstrated in any<br />
commercially available technology.<br />
One major technical advantage of this technology, however,<br />
is that it does not use infra-red cameras to illuminate<br />
the face, but rather relies on the infrared emmissions<br />
generated by the face itself. This capability is extremely<br />
useful in surveillance applications, especially when it is<br />
necessary to identify people in dark places or at night.<br />
Finger Geometry<br />
Finger geometry biometrics is very closely related to hand<br />
geometry and has achieved limited success as a competitor<br />
to hand geometry in access control and time and attendance<br />
applications. This technology can be used, for<br />
example, in ATMs, border checkpoints, mobile payment<br />
vehicles for distribution of public benefit funds, air passenger<br />
identification and other general access control<br />
applications.<br />
Spatial geometry of the finger(s) is examined as the user<br />
puts his/her hand on the sensor’s surface. Two varia-<br />
Version 2 – Summer 2008
Section 3 68 Types of <strong>Biometric</strong> Technologies<br />
tions of capture processes are used, one of which is similar<br />
to hand geometry but uses a smaller footprint. The<br />
second technique marketed in the early 1990s requires<br />
the user to insert a finger into a “tunnel” so that the circumference<br />
of the finger at several locations could be<br />
measured.<br />
Gait<br />
Gait biometrics is a complex spatio-temporal biometric<br />
that uses an individual’s walking style or gait to determine<br />
identity. Gait is not necessarily distinctive, but<br />
sufficiently discriminatory to allow verification in some<br />
low-security applications or used in conjunction with<br />
other identification mechanisms. It is particularly useful<br />
in identifying someone from a distance or when only<br />
low image resolution footage is available, as with CCTV<br />
cameras, and with or without their cooperation. It can<br />
spot people who are moving around in suspicious ways,<br />
which may include repetitive walking patterns or movements<br />
that do not appear natural given their physicality.<br />
Since gait measurement is a behavioral biometric that<br />
depends upon walking surface and type of shoe worn,<br />
it may not remain stable over a long period of time due<br />
to those factors as well as fluctuations in body weight,<br />
injuries, or intoxications. Wearing a trench coat can mask<br />
the feet and using flip-flops can also throw off measurements.<br />
Though still in its infancy, the technology is no<br />
longer under active investigation, having lost most of its<br />
funding sources in 2004. Presently (at time of this publication),<br />
gait recognition is much less diagnostic than<br />
other methods, but it can act as a screening tool in conjunction<br />
with other biometric methods.<br />
Version 2 – Summer 2008
<strong>Biometric</strong> <strong>Technology</strong> <strong>Application</strong> <strong>Manual</strong> Section 3 69<br />
Gait recognition imaging and analysis is achieved by<br />
computer vision or with the help of a radar system. The<br />
former uses video cameras to analyze the movements<br />
of each body part - the knee, foot, shoulder, and so on.<br />
The latter uses radar to bombard the subject with invisible<br />
radio waves. Each person’s walking speed and style<br />
will make the waves bounce back differently. The result<br />
is a type of composite signature that characterizes the<br />
overall unique signature of the walk. Computer analysis<br />
can be used to parse digital video images and study both<br />
static body and stride parameters.<br />
The ultimate goal of gait biometrics is to detect and recognize<br />
people at extended distances under day or night<br />
and all-weather conditions.<br />
Rhythm/Tapping Sequence<br />
In the early days of telegraphy, operators could identify<br />
each other by recognizing the way in which they tapped<br />
out messages. This simple idea has been used as a type<br />
of biometric, using newly developed polymer thick-film<br />
pressure sensors that can detect the unique cadence of a<br />
tapped rhythm and verify identity.<br />
This method exploits the differences with which individuals<br />
tap out a rhythm, capturing the pattern of taps<br />
on a single sensor rather than the pattern of keystrokes<br />
on a keyboard ( such as keystroke dynamics). A tapping<br />
sequence can have both waveform and rhythm features.<br />
Waveforms are studied for unique charachterisics, such as<br />
height and duration. Like sound waves, pressure points<br />
provide measurable wavelenths. Recognition by rhythm<br />
is so simple it may be possible to implement on devices<br />
such as smartcards and PDAs by screen-printing a<br />
Version 2 – Summer 2008
Section 3 70 Types of <strong>Biometric</strong> Technologies<br />
sensor onto a thin layer of Mylar that is bonded onto the<br />
device.<br />
Keypad pressure sensors may run up against many of<br />
the same obstacles as the early keystroke-pattern recognition<br />
systems. A user must apply the sensors with a<br />
substantial amount of initial input in order to train the<br />
sensors to recognize the individual’s unique waveform<br />
signature. Biological responses like fatigue can change<br />
the pattern of the user’s input in the course of such a test.<br />
Factors such as posture or position relative to the sensor<br />
pad can also affect the user’s pressure “signature.”<br />
Skull Resonance<br />
Skull resonance is a developing form of biometric identification<br />
by which sound waves are passed through the<br />
head of a subject to produce a unique sonar profile.<br />
Version 2 – Summer 2008
<strong>Biometric</strong> <strong>Technology</strong> <strong>Application</strong> <strong>Manual</strong> Section 4 1<br />
Section 4: The <strong>Biometric</strong> System Design<br />
Process<br />
Designing a practical and functional biometric system or<br />
more properly a “subsystem” since few biometric applications<br />
stand alone is a combination of art and science with<br />
a heavy dose of common sense. Whether or not an experienced<br />
practitioner or systems integrator is engaged to<br />
assist in this process it will be helpful for the user/buyer<br />
to understand the key elements of the design process,<br />
and some of the more important considerations that<br />
should be included in that process.<br />
This section deals with the key elements of the design<br />
process for insight and as a guide to any procurement action<br />
for a biometric system, even if the action includes<br />
the complete design process. The key elements or phases<br />
are:<br />
A. The System Concept,<br />
B. The Requirements Definition, and<br />
C. The Systems Specification.<br />
The latter part of the section provides real world examples<br />
of biometric access control systems, including physical<br />
A/C, logical (virtual) A/C, and a combined domain system.<br />
The system or application concept defines the context<br />
and objectives for the biometric system or product suite<br />
that will be procured. It need not be a lengthy document,<br />
but it must be sufficient in description and detail to clearly<br />
communicate the ultimate performance that you will<br />
Version 2 – Summer 2008
Section 4 2 The <strong>Biometric</strong> System Design Process<br />
expect of the system.<br />
The requirements definition should be articulated in sufficient<br />
detail and clarity to fully address the performance<br />
characteristics expected of the system, short of detailed<br />
product or system specifications. It should be complete<br />
enough to allow the evaluation of proposed solutions<br />
and alternative approaches that can still meet the system<br />
concept goals.<br />
The system specification is the detailed technical order<br />
for the operating system and is the equivalent to the<br />
architectural blueprints and technical narrative for construction<br />
of a building. While the details of developing<br />
the system specification exceed the scope of this manual,<br />
and are usually prepared by professionals, a description<br />
of basic content is described below.<br />
A. System Concept Development<br />
The first step in concept development is to decide what<br />
the operational system should do. In other words, what<br />
role does an identity assurance function play in the overall<br />
operation, as well as the specific application that you<br />
may have in mind for the biometric component. All who<br />
are involved will need to know first how the new system<br />
will be employed in both a broad sense and also in sufficient<br />
detail to support a specific procurement action.<br />
<strong>Application</strong> Concepts<br />
Basic to developing a system concept is understanding<br />
how the system will be applied. To summarize Section 9<br />
of BTAM Volume 2, there are many different ways to cat-<br />
Version 2 – Summer 2008
<strong>Biometric</strong> <strong>Technology</strong> <strong>Application</strong> <strong>Manual</strong> Section 4 3<br />
egorize applications--not one of which is absolutely correct<br />
or universally accepted in the biometric community.<br />
One’s choice of categorization, or taxonomy, depends on<br />
one’s objectives; however, one that is useful both for clarity<br />
of thinking and for understanding of the issues. These<br />
are functional categorizations:<br />
1. Access Control either physical or logical (virtual). The<br />
most common application in use today where one’s<br />
identity is established or verified before allowing access<br />
to a space or a network/domain.<br />
a. Physical access control - meaning the authenti-<br />
cation of authorized individuals in order to validate<br />
physical access to an area, facility, building,<br />
room, space, or other protected asset location.<br />
b. Logical or information access control - also re-<br />
ferred to as computer or cyber security; means<br />
authentication of an authorized individual in<br />
order to validate access to a network, program,<br />
data, or other electronic or computer based asset.<br />
2. Identification such as for watchlists, prisoners, driver’s<br />
license applicants, etc.<br />
3. Benefits eligibility, such as food stamps, welfare, ration<br />
cards, etc.<br />
4. Commercial transactions such as credit card users,<br />
bank customers, etc.<br />
By understanding the type of application most suitable<br />
for your particular circumstances, one can more clearly<br />
Version 2 – Summer 2008
Section 4 4 The <strong>Biometric</strong> System Design Process<br />
articulate objectives that the system must ultimately<br />
meet. Although access control is historically the most<br />
common and is frequently used as example, there are<br />
other applications whose fundamental purpose differs<br />
from access control and this should be kept firlmy in mind<br />
as the system concept is developed. (See discussion in<br />
paragraph D <strong>Biometric</strong> Access Control.) Additionally,<br />
recognize that complex identity assurance systems<br />
may involve more than one category of application and<br />
objectives.<br />
Objectives<br />
Objectives derive naturally from the type of application<br />
envisioned, such as:<br />
1. Access Control - verify that a user’s identity matches<br />
that of a specific person who is authoized access to a<br />
space or network/domain. (Note that a biometric system<br />
does not verify that a person has a right and need to<br />
have access. That determination is made administratively<br />
before allowing a user to enroll in a biometric system.)<br />
2. Identification includes the following: Identify an individual<br />
who is in a database of personae non gratis (a<br />
watchlist of undesirables). Determine if a person has<br />
ever been booked or imprisoned, and if so, who the individual<br />
is. Determine if an individual has ever been issued<br />
a driver’s license before, and if so, is it under the same<br />
identity they are currently claiming.<br />
3. Benefits eligibility - determine if an individual has ever<br />
made a claim for food stamps, welfare, ration cards, etc.,<br />
and if so, is it under the same identity they are currently<br />
claiming.<br />
Version 2 – Summer 2008
<strong>Biometric</strong> <strong>Technology</strong> <strong>Application</strong> <strong>Manual</strong> Section 4 5<br />
4. Commercial transactions - determine if a customer’s<br />
identity matches identity information stored on a credit<br />
card. Determine if an individual seeking access to a safe<br />
deposit box is in fact the owner of that box. Determine<br />
if an individual cashing a check has a legitimate account<br />
with sufficient funds to complete the transaction.<br />
Operational Considerations and<br />
Constraints<br />
When the applications and objectives have been determined,<br />
the concept should next address the operating<br />
environment in which the biometric system will be expected<br />
to function. The individual or team responsible<br />
for concept development must be realistic and practical<br />
in establishing the expectations for both operational<br />
integration and the routine performance of the system<br />
when placed under human control. Significant operational<br />
considerations include, but are not limited to, the<br />
following:<br />
1. The Threat: What is the rational prospect of a threat<br />
against the operating system from a hostile, economic,<br />
or asset loss perspective involving a failure in identity assurance?<br />
What is the nature and presumed capability of<br />
that threat? Is it covert or overt? What has been the experience<br />
in the past? What is the justification for increased<br />
measures or countermeasures against that real or now<br />
perceived threat? Understand the difference between<br />
the casual and focused threat.<br />
2. The Vulnerability: What problems or weaknesses in<br />
the identity assurance or security program exist in the organization<br />
today? How have those been exploited in the<br />
Version 2 – Summer 2008
Section 4 6 The <strong>Biometric</strong> System Design Process<br />
past and to what extent? Where are the critical points in<br />
routine or non-routine operations? Where would an attack<br />
on the program create the most disruption and least<br />
possibility for quick recovery?<br />
3. The Geography: Consider the macro-environment,<br />
meaning the scope of the space or spaces to be protected.<br />
For example, if this is a physical domain: (1) One room<br />
or many? How many?; (2) One building or many? How<br />
many?; (3) One campus or several? How many?; (4) An<br />
integrated global enterprise? A global enterprise with<br />
no integration?<br />
4. The Environment: Will the system operate indoors<br />
only? If an outdoor requirement exists, will a kiosk or other<br />
outdoor or climate control facility to host the biometric<br />
component be acceptable and feasible? What unusual<br />
conditions exist in the planned location that may affect<br />
biometric technology performance (light, heat, cold,<br />
noise, electronic interference, etc.)?<br />
5. The User Population: What is the scope and nature of<br />
the demographics (characteristics) of the planned user<br />
group (age spread, handicaps, etc)? Are there any occupational<br />
issues that affect biometric performance? (See<br />
Section 3 of this manual on product/technology limitations.)<br />
6. The Interface: What other systems or subsystems is<br />
the biometric system expected to work with? Is the interface<br />
simple compatibility or a more complex integration<br />
and interoperability? For example, will physical access<br />
granted at each site be reported in near-real time to HQ?<br />
Will correct physical entry be linked to computer logon<br />
in such a way that both must occur?<br />
Version 2 – Summer 2008
<strong>Biometric</strong> <strong>Technology</strong> <strong>Application</strong> <strong>Manual</strong> Section 4 7<br />
7. The Privacy and Social/Cultural Environment: What<br />
are the concerns that may be faced when considering the<br />
nature of the user base? (See Section 7.) What increase in<br />
the level on inconvenience will your management and<br />
employee base tolerate for an improved identity assurance<br />
and security program? This includes such issues as<br />
orientation/training and enrollment, slower throughput<br />
or increased transaction times at entry portals, repeat authentications<br />
for any reason etc.<br />
A summary of the results of the concept development<br />
exercise described above will lead directly to a more formal<br />
definition of requirements.<br />
B. The Requirements Definition<br />
In brief, the Requirements Definition phase describes the<br />
new biometric system in precise and comprehensive detail<br />
(short of a formal system design specification), both<br />
for the system itself and the anticipated operating environment<br />
after installation. This description includes a<br />
performance specification that addresses all operating<br />
needs and application capabilities and provides an exact<br />
count of the number of biometric devices to be provided,<br />
the number of devices for use outdoors, the number to<br />
be used indoors, and the number of enrollment points<br />
desired. For each outdoor location, the description must<br />
also provide historical weather conditions in terms of<br />
temperature range, humidity range, precipitation types<br />
and amounts. For all locations, the description must include<br />
the physical location of power supplies relative to<br />
the biometric device mounting point and the power rating<br />
in volts and hertz.<br />
Components of the requirements definition could<br />
Version 2 – Summer 2008
Section 4 8 The <strong>Biometric</strong> System Design Process<br />
include:<br />
1. <strong>Application</strong>, Function, and Objectives desired.<br />
2. Operating Environment and Limitations.<br />
3. Performance Specifications.<br />
While most of the components of the requirements<br />
definition are derived from the Concept Development<br />
Phase, the performance specification has significantly<br />
more detail about special criteria that the use may feel<br />
is necessary, even before a designer/integrator is employed.<br />
These could include some or all of the following<br />
considerations:<br />
a. <strong>Technology</strong> Limitations:<br />
If possible, a systems<br />
designer or integrator may be relied on to select<br />
the best technology or combination of technologies<br />
suitable for the application and purpose.<br />
However, if the user (buyer) is convinced that<br />
a technology will not be suitable for his needs,<br />
he should mention that exclusion in the performance<br />
specification or specify those that are acceptable.<br />
Operating Speed<br />
b. : Generally in biometrics this<br />
is expressed as the throughput rate and is described<br />
as the number of end users that a biometric<br />
system can process within a stated time<br />
interval (such as hour or minute). When possible,<br />
the new throughput rate should be equal to<br />
or less than what the current system permits, unless<br />
there is an institutional commitment to less<br />
speed for more accuracy (or security).<br />
Version 2 – Summer 2008
<strong>Biometric</strong> <strong>Technology</strong> <strong>Application</strong> <strong>Manual</strong> Section 4 9<br />
c. Accuracy:<br />
Generally expressed as the False<br />
Match Rate. The tolerance for a False Acceptance<br />
(Type 2 error) will be much lower than the tolerance<br />
for a False Rejection (Type 1 error) since little<br />
or no harm is done in rejecting an authorized<br />
person. On the other hand, tightening the controls<br />
so that the number of False Acceptances is<br />
minimized will dramatically increase the number<br />
of False Rejections, a consequence that employees<br />
and officers of many companies will come to<br />
resent. It may also adversely affect the system<br />
throughput rate by forcing individuals to repeat<br />
entry requests.<br />
d. Minimal Failure to Enroll Rate:<br />
As an observation,<br />
virtually all biometric technologies suffer,<br />
by varying degrees, from an inability to enroll a<br />
certain percentage of people for one reason or<br />
another. There should be a dialog between the<br />
system user/buyer and potential vendors to ensure<br />
that proposed biometric systems are consistent<br />
with the ethnic or socio-cultural nature of<br />
the pool of users to minimize the likelihood of a<br />
significant failure to enroll users. For example, an<br />
auto repair shop is likely to have many mechanics<br />
with rough and oily hands and should avoid<br />
using biometric devices sensitive to fine features<br />
of the hand or fingers.<br />
e. User Population:<br />
The specification should provide<br />
a headcount of users as well as a breakdown<br />
of users by type, such as:<br />
–<br />
–<br />
Full-time employees without access restrictions.<br />
Full-time employees with limited access entitle-<br />
Version 2 – Summer 2008
Section 4 10 The <strong>Biometric</strong> System Design Process<br />
–<br />
–<br />
–<br />
–<br />
–<br />
ments.<br />
Part-time employees with and without restrictions.<br />
Number of vendors, sub-contractors, consultants,<br />
etc., who may require varying degrees of full or<br />
limited access.<br />
Anticipated total number of visitors per year.<br />
Number of visitors expected to return periodically<br />
to site.<br />
Number of visitors requiring unescorted access<br />
to specified areas.<br />
<strong>Biometric</strong> systems vary in their ability to process<br />
large numbers of users. They also vary in the level of<br />
effort required to enroll and delete users from their<br />
databases. The license fee cost of some systems varies<br />
as a function of the number of enrolled users.<br />
Providing vendors with the headcount estimates will<br />
help the vendor determine whether their products<br />
will accommodate the expected volume.<br />
f. Networking Issues: The user/buyer should provide<br />
a comprehensive description and outline of the<br />
available network to be used to support the biometric<br />
system. Typically, security system data and control<br />
signals should have secure, dedicated circuits<br />
not subject to the volume of unrelated data flow<br />
through the network. This prevents inadvertent diversion<br />
of security-related information to unauthorized<br />
persons, and to prevent a stoppage or degradation<br />
of service due to traffic volume.<br />
Version 2 – Summer 2008
<strong>Biometric</strong> <strong>Technology</strong> <strong>Application</strong> <strong>Manual</strong> Section 4 11<br />
g. Quantities: The performance specification can<br />
include anticipated quantities of controlled access<br />
points, or even specify products and equipment if<br />
the technology has already been selected.<br />
h. Privacy and Personal Information Issues: The user/<br />
buyer should examine the nature of personal information<br />
likely to be in its information systems and the<br />
types of personal information that must be withheld<br />
from disclosure through any unauthorized channel.<br />
The vendors will need to know what types of information<br />
will be prohibited from transmission through<br />
any part of the biometric system.<br />
i. Contact vs. Non-contact System Preferences: Some<br />
biometric systems (such as fingerprint and hand geometry)<br />
require physical contact between the user<br />
and the biometric device. Other biometric systems<br />
(such as iris recognition, voice recognition, facial recognition,<br />
etc.) do not. The desired system description<br />
must make it clear if there are any constraints prohibiting<br />
or requiring physical contact between the user<br />
and the biometric device.<br />
4. Interface and Interoperability Requirements<br />
5. Documentation Requirements<br />
a.<br />
b.<br />
c.<br />
d.<br />
System operating diagram<br />
Operating manual(s)<br />
Schematics<br />
Maintenance plan.<br />
Version 2 – Summer 2008
Section 4 12 The <strong>Biometric</strong> System Design Process<br />
6. Training Requirements<br />
7. Schedule and Required Operational Capability Date<br />
(if any)<br />
C. The System Specification<br />
The System Specification generally comprises three key<br />
components:<br />
1. The customer background information likely to have<br />
a bearing on products and/or system proposed and the<br />
general system description contained in the System Concept<br />
described above. Often called an “Operating Environment<br />
Description”, these are the descriptions of the<br />
various sites and locations into which the new system<br />
will be inserted and operated. It consists of the following:<br />
a. Location description(s)<br />
b. Interior environment(s)<br />
c. Sound & lighting details<br />
d. Exterior description<br />
e. Weather conditions expected<br />
f. Environmental limits expected (if relevant and<br />
appreciable)<br />
1. Temperature ranges<br />
2. Humidity<br />
Version 2 – Summer 2008
<strong>Biometric</strong> <strong>Technology</strong> <strong>Application</strong> <strong>Manual</strong> Section 4 13<br />
Version 2 – Summer 2008<br />
3. Vibration<br />
4. Barometric pressure<br />
g. Number of users (staff & visitors)<br />
h. Number of portals/devices estimated<br />
i. Number of enrollment points estimated<br />
2. The performance expectations and operating features<br />
the selected product must satisfy as expressed in the Requirements<br />
Definition described above.<br />
3. The detailed Technical Requirements necessary to fulfill<br />
the design objectives, procure and install the system, and<br />
fully integrate it for operational capability. The technical<br />
sections of the System Specification will vary by title and<br />
content from different designers or integrators. There is,<br />
however, a minimal amount of information that should<br />
be included in any system specification, including:<br />
a. Power requirements including source and<br />
location(s)<br />
b. Proposed products and components<br />
c. Hardware<br />
d. Software<br />
e. Peripherals<br />
f. Network and support
Section 4 14 The <strong>Biometric</strong> System Design Process<br />
D. <strong>Biometric</strong> Access Control (A Design<br />
Example)<br />
1. Introduction<br />
The majority of biometric systems provide routine access<br />
control in buildings, offices, welfare programs, or information<br />
systems. Authorized persons are enrolled in the<br />
biometric system and, upon recognition or confirmation<br />
of identity by live presentation of the enrolled feature,<br />
are granted access to the protected asset or privilege.<br />
<strong>Biometric</strong> systems used in these applications often use<br />
precision equipment and technologies with very low error<br />
rates. The remainder of Section 4 will focus on access/entry<br />
control applications as an example of how the<br />
design process described above will meet specified requirements.<br />
Although the False Accept/Reject vs. False Match/Non-<br />
Match issue was introduced earlier in this manual in Section<br />
2, it is important to review the issue when discussing<br />
design, requirements and system specifications. It is absolutely<br />
imperative that a user understand and articulate<br />
to his designers and suppliers his needs regarding what<br />
a biometric system is expected to do for him/her. Blindly<br />
insisting on the lowest possible False Match rate for example,<br />
can be a disaster in a negative identification system<br />
where a False Non-Match is the critical failure and a<br />
False Match is merely a nuisance to be sorted out later.<br />
In conventional access control applications, the industry<br />
uses the terms False Accept and False Reject to refer to<br />
observed processing errors. A False Accept error occurs<br />
when the biometric system accepts the subject’s implied<br />
Version 2 – Summer 2008
<strong>Biometric</strong> <strong>Technology</strong> <strong>Application</strong> <strong>Manual</strong> Section 4 15<br />
assertion that they are in the database but are not. This<br />
happens when the biometric image presented (face, iris,<br />
fingerprint) by an un-enrolled person closely matches<br />
the reference of an enrolled person well enough under<br />
the environmental conditions of the moment. A False<br />
Reject is just the opposite and occurs when the biometric<br />
system fails to recognize a person otherwise properly<br />
enrolled and authorized access.<br />
In addition to true False Reject errors that occur due to<br />
the nature of the image comparison algorithms and their<br />
pass/reject scoring process, rejections can occur when<br />
the biometric is obscured by foreign objects on the body<br />
or the imaging device. For example, such an error might<br />
occur when a mechanic has been working with greasy<br />
auto parts and whose fingerprints are too dirty to be<br />
properly imaged. A similar error might occur when a person<br />
moves his/her head quickly while the iris is being imaged<br />
for recognition. These rejections are attributed to a<br />
Failure to Acquire (FTA). Since many modern biometric<br />
devices have relatively low FA/FR error rates, most False<br />
Rejects are most likely to actually be FTAs. While little can<br />
be done to eliminate False Reject errors, 44 the positive aspect<br />
of FTAs is that the problem can be corrected quickly,<br />
cheaply, and simply by training the subject to present<br />
clean hands to fingerprint devices and to stand straight<br />
and steady before iris recognition systems.<br />
FR errors take on more significance in the commercial ap-<br />
44 In theory, FR errors can be reduced significantly but will increase FA errors.<br />
FR errors in conventional applications are administrative nuisances<br />
that annoy the users but do not jeopardize the security of the protected<br />
assets. FAs, on the other hand, represent a real hazard to those assets.<br />
Consequently, systems are normally adjusted to minimize FAs without<br />
creating an unacceptable level of FRs.<br />
Version 2 – Summer 2008
Section 4 16 The <strong>Biometric</strong> System Design Process<br />
plication of biometrics because they frustrate and annoy<br />
legitimate customers and thwart or delay the transaction<br />
they wish to complete. This problem may motivate system<br />
owners/operators to accept a higher FA rate to reach<br />
a more permissive or convenient operation. This might<br />
even be appropriate in an ATM application where large<br />
losses are prevented by applying other constraints such<br />
as maximum withdrawal limits and limiting withdrawals<br />
to one per person a day.<br />
Scientists and researchers in the field have noted<br />
that the terms False Accept and False Reject<br />
are decision errors and are thus application-<br />
specific describing the outcome of the decision process.<br />
In the access control context, therefore, False Accept errors<br />
are caused by False Match (FM) errors and False Reject<br />
errors are caused by False Non-Match (FNM) errors.<br />
This terminology takes on additional value in discussions<br />
of other applications of biometric technology where the<br />
FA/FR terms would be inappropriate.<br />
2. A “Before and After” Perspective in<br />
Access Control Design<br />
A biometric device may be used in virtually any scenario<br />
in which one might otherwise use a key, identification<br />
card, security card, or password to gain access into a<br />
physical facility, a virtual domain (information system),<br />
or a welfare process. Examples of these applications include<br />
using a:<br />
•<br />
Key to open a door to a protected building or a room<br />
within that facility<br />
Version 2 – Summer 2008
<strong>Biometric</strong> <strong>Technology</strong> <strong>Application</strong> <strong>Manual</strong> Section 4 17<br />
•<br />
•<br />
•<br />
•<br />
•<br />
•<br />
Combination to open a padlock securing a door<br />
“Proximity Card” to open a door to a secured area<br />
Driver’s license to pass through an airport security<br />
line<br />
Company ID card to move from a public area into a<br />
secure company area<br />
Password to log onto a personal computer or into a<br />
company information system<br />
State-issued ID card to participate in a welfare funds<br />
distribution system<br />
Each of these examples illustrate two of the three tools<br />
used for security and access control:<br />
1.<br />
2.<br />
3.<br />
Something (or token) that you hold or possess (e.g.,<br />
a key, card, or ID)<br />
Something that you know (e.g., a combination or<br />
password)<br />
<strong>Biometric</strong>s provides the third tool - something you<br />
are, some observable physical feature that can be<br />
used to uniquely identify a person.<br />
Interestingly, objections to biometrics have been raised<br />
based on the realization that biometrics are not perfect.<br />
There seems to be some shock effect when confronted<br />
by the concept of biometric error rates when, in fact,<br />
traditional solutions are far and away more error prone<br />
and vulnerable than biometric solutions. Consider the<br />
case of a simple lock and key. The False Non-Match Error<br />
Version 2 – Summer 2008
Section 4 18 The <strong>Biometric</strong> System Design Process<br />
(FNM) rates of a physical key from a locksmith are fairly<br />
low, but think of the times when a key had to be jiggled<br />
and wiggled before the lock would open. This is a type<br />
of false reject. The same thing often happens with room<br />
cards issued by hotels that have to be jostled and twisted<br />
to make the door open. The owner of the key is entitled<br />
to access but the system, for a period, rejects attempts<br />
to enter.<br />
It is likely the FNM of a lock and key is worse than many<br />
biometric systems. As the lock (or key) ages, this becomes<br />
more true. The False Match Rate (FMR), though, is<br />
equal to the likelihood that the lost key will be found and<br />
used, or that it may be stolen and used, a likelihood one<br />
should believe to be quite high, certainly much higher<br />
than even the weakest biometric solution in many cases.<br />
Likewise, other tokens, such as ID cards or proximity<br />
cards, are easily and often lost or stolen and potentially<br />
misused. Certainly, stolen tokens will most likely be misused<br />
at the first opportunity (before a lost or stolen card<br />
report is filed) and there is little to prevent such misuse.<br />
Simple possession of the card is assumed to equal entitlement.<br />
The point to be made here is that error rate expectations<br />
should be realistic, both in the context of the assets to be<br />
protected and with respect to the type and nature of the<br />
biometric technology to be used. As noted, access control<br />
tokens (keys, cards, etc.) provide poor security if stolen<br />
or forged and knowledge-based controls (password,<br />
pass phrases, etc.) are routinely compromised through<br />
guile, theft, and carelessness. To insist that a biometric<br />
system replacing these older tools perform without error<br />
or mishap is both unrealistic and unreasonable. Properly<br />
used, current biometric systems routinely offer reliability<br />
levels on the order of 95–99 percent. To require perfec-<br />
Version 2 – Summer 2008
<strong>Biometric</strong> <strong>Technology</strong> <strong>Application</strong> <strong>Manual</strong> Section 4 19<br />
tion or a 0 percent error rate is unreasonable and unachievable.<br />
Those who would demand this level of performance<br />
should place their requirement in the context of<br />
their current situation where the reliability of existing access<br />
control technology is often less than 60–75 percent.<br />
It is reasonable to expect that any biometric system installed<br />
to replace an existing access control system perform<br />
as well as the system it is replacing. It is reasonable<br />
to expect that the new system, in concert with other security<br />
measures employed satisfy the owner’s “duty to care”<br />
responsibilities. Basically, owners and senior managers of<br />
a corporate enterprise have a fiduciary responsibility—<br />
“duty to care”—to stakeholders to provide adequate security<br />
and safeguards for corporate assets. This is often<br />
computed as the total value of assets—tangible and intangible<br />
(such as trade secrets)—times the likelihood of<br />
loss through natural disaster, fire, theft, fraud, or unauthorized<br />
taking, compromise, or viewing.<br />
In theory, providing loss insurance for the full value of<br />
these assets might satisfy this duty, but it is likely that the<br />
insurer will require that proper safeguards be installed to<br />
minimize the likelihood of such losses. Often, however,<br />
the implementation of a biometric system can eliminate<br />
the need to pay for recurring security measures such as<br />
keys, cards, password help desks, etc., resulting in significant<br />
life-cycle savings without compromising the company’s<br />
security posture, thus satisfying both the insurer<br />
and the stakeholders.<br />
The most difficult aspect of managing these issues in an<br />
IT environment is that both loss and compromise of corporate<br />
information assets are frequently hard to discern.<br />
First, it is uncertain, without a full-scale investigation, to<br />
determine whether proprietary information (or intellec-<br />
Version 2 – Summer 2008
Section 4 20 The <strong>Biometric</strong> System Design Process<br />
tual property) has been compromised unless the benefactor<br />
of such a compromise makes a blatant use of the<br />
information, such as producing a new beverage identical<br />
in flavor and content to Coca-Cola. In larger organizations,<br />
accounting allowances are made for shrinkage or<br />
breakage. How much of the historic levels of shrinkage<br />
or breakage have been the result of employee theft vs.<br />
employee mishap? Improved security measures should<br />
reduce the incidence of employee theft, but this statistic<br />
will be some time in coming and will still be presumptive<br />
at best. In a larger sense, of course, the security of such<br />
assets is not normally left to a single access control strategy<br />
but to a solution in which there are several layers of<br />
safeguards.<br />
In brief, it is important that specifications for a biometric<br />
system begin with the articulation of a concept of application.<br />
Rather than using a specific biometric, such as<br />
fingerprint or iris or hand geometry, it would be best to<br />
express the concept using the term biometric.<br />
The simplest way to start the concept description would<br />
be to describe the current process—how things are done<br />
today—then substitute the word biometric wherever<br />
the current process uses a token of some sort to validate<br />
the subject and use the term present in any place the description<br />
might use the word(s) insert, show, display, or<br />
some other descriptor.<br />
Example 1—Plant Door Access Control<br />
Current Practice: Proximity technology-based keycards<br />
are issued to all staff and selected visitors for access to<br />
company facilities. At the time of enrollment, user permission<br />
to pass selected doors at specified dates and<br />
Version 2 – Summer 2008
<strong>Biometric</strong> <strong>Technology</strong> <strong>Application</strong> <strong>Manual</strong> Section 4 21<br />
times is defined by the Security Office in conjunction with<br />
the user’s organization and company policies. The user<br />
approaches the selected door and holds the proximity<br />
card within a few inches of the card reader. Each month,<br />
4.5 percent of the cards are lost, mutilated, or otherwise<br />
become unusable and must be replaced at a cost of US<br />
$1.50 per card. This represents an annual expense of US<br />
$810 to replace the cards and US $10,800 for the labor<br />
time of the Security Officer to initially issue, and re-issue<br />
the card, for a total annual expense of US $11,610. In addition<br />
to the issue and re-issue cost to cards, each lost or<br />
stolen card represents a real potential for access to the<br />
company facilities by one or more unauthorized persons.<br />
Theft or destruction of company property could be quite<br />
substantial, possibly in excess of several million dollars.<br />
The Security Officer believes that the quality of secure<br />
access control would be greatly enhanced and the cost<br />
of access control greatly reduced by the transition to a<br />
biometric-based access control system.<br />
New Operational Concept: All staff and selected visitors<br />
will be enrolled in a fingerprint-based biometric system<br />
and issued a four-digit PIN. At the time of enrollment,<br />
user permission to pass selected doors at specified dates<br />
and times are defined by the Security Office in conjunction<br />
with the user’s organization and company policies.<br />
A fingerprint reader is installed at each location where<br />
there was a proximity card reader. The user approaches<br />
the selected door, enters his/her PIN on the keypad and<br />
places the enrolled finger(s) on the platen.<br />
A phased transition is used to procure the biometric access<br />
control technology equipment and related software,<br />
enroll employees in the new biometric system, remove<br />
existing card readers, and install new biometric-based<br />
door controls and implement the new system.<br />
Version 2 – Summer 2008
Section 4 22 The <strong>Biometric</strong> System Design Process<br />
Example 2—IT System Access Control<br />
Current Practice: A company presently requires users to<br />
log onto the network using a password string consisting<br />
of letters (upper and lower case), numbers, and special<br />
characters, that is at least eight characters long. Passwords<br />
must not represent any word or parts of words<br />
found in dictionaries, nor should they include any calendar<br />
dates. There is concern for several reasons:<br />
•<br />
•<br />
•<br />
•<br />
•<br />
These passwords are hard to remember, so many<br />
people write them down where they can be easily<br />
found near the computer monitor or desk drawer,<br />
representing an unintended opportunity for a security<br />
compromise.<br />
These passwords must be changed every 90 days.<br />
Forgotten passwords cannot be retrieved by the IT system<br />
administers, but must be reset to a common password,<br />
then reset to a new password by the user. This<br />
requires a few minutes time by the system administrator<br />
to reset to the temporary password and the time<br />
taken by the employee to create a new password (software<br />
on the network server ensures that the new passwords<br />
conform to the model described above).<br />
Time lost to resetting passwords represents an opportunity<br />
cost to productivity.<br />
Additional passwords are required to access selected<br />
applications such as the corporate accounting system<br />
with the same sort of associated hazards, problems,<br />
and costs.<br />
New Operational Concept: All staff will be enrolled in<br />
Version 2 – Summer 2008
<strong>Biometric</strong> <strong>Technology</strong> <strong>Application</strong> <strong>Manual</strong> Section 4 23<br />
a biometric system. At the time of enrollment, user permission<br />
to use certain workstations and enter certain<br />
domains is defined by the Security Office in conjunction<br />
with the user’s organization and company policies. Each<br />
workstation and laptop computer will be equipped with<br />
a biometric-based access control device. The user approaches<br />
his/her workstation, enters his/her PIN on the<br />
keyboard of an assigned workstation, and then places<br />
the enrolled finger(s) on the platen attached to the<br />
workstation. User identification and validation at the<br />
workstation level is automatically passed by software to<br />
all authorized applications so the user does not have to<br />
repeat a log-in. Sensors will be installed in each workstation<br />
and set by the system administrator to log off<br />
or shut down the workstation if no activity takes place<br />
within a certain period of time or if the user moves away<br />
from the computer monitor.<br />
There are several significant benefits by switching to a<br />
biometrically-based IT-system access control system.<br />
These include:<br />
•<br />
•<br />
•<br />
Productivity savings by not having to reset or recreate<br />
passwords.<br />
Greatly enhanced IT security by eliminating the unauthorized<br />
posting of passwords in personal workspaces;<br />
thus keeping the system from being compromised.<br />
Elimination of other adverse practices by establishing<br />
personal accountability for proper use of computing<br />
equipment.<br />
Version 2 – Summer 2008
Section 4 24 The <strong>Biometric</strong> System Design Process<br />
3. The Architectural Aspects of an<br />
Automated Access Control Portal<br />
A portal, in this context, is an electronic controlled-<br />
access door. Figure 4-1 illustrates the key elements of<br />
the portal. Portals control the flow always into and out<br />
of a protected space or area.<br />
a. Central Control and Enrollment<br />
All access control systems involve a central enrollment<br />
process. At this point,<br />
persons authorized to<br />
access controlled spaces<br />
are enrolled or recorded<br />
into the system. Most<br />
electronic access control<br />
systems also include a<br />
central processing component<br />
that, upon completion<br />
of enrollment,<br />
broadcasts relevant enrollment<br />
data to each of Figure 4-1<br />
the portals in the system.<br />
In some systems, the data are transmitted to just those<br />
portals or portal control units through which a person<br />
is authorized to pass. In addition to the key enrollment<br />
data, the signal also includes instructions as to what days<br />
of the week and time of day access is permitted. The only<br />
system in which the broadcast does not occur is one in<br />
which all of the enrollment data are stored at the portal.<br />
b. Electronic Strike<br />
The key element of the portal is the electronic strike that<br />
Version 2 – Summer 2008
<strong>Biometric</strong> <strong>Technology</strong> <strong>Application</strong> <strong>Manual</strong> Section 4 25<br />
releases the lock so the door may open. Normally, all this<br />
requires is a pulse of electricity of a certain voltage and<br />
duration. For this reason, great care must be taken to ensure<br />
that wires leading to the strike are protected from<br />
contact outside the protected space.<br />
c. Control Device/Control Units<br />
At the exterior of the protected area will be an access<br />
control device, which may be a cipher switch control,<br />
proximity card reader, contact card reader, biometric device,<br />
or a combination of these. There are normally two<br />
possible outputs from these devices.<br />
The first is a simple relay closure pulse sent to the electronic<br />
door strike activating it. In this scenario, all of the<br />
permissions of authorized users have to be stored within<br />
the device itself. The positive aspect is that such devices<br />
are normally inexpensive and simple to install. The negative<br />
aspects are that all enrollment has to take place at<br />
the portal, the device will have only a limited capacity,<br />
and there is likely to be a limited number of access rule<br />
options available.<br />
The second is a series of binary numbers sent instead to<br />
a door controller unit (DCU). The DCU may be located<br />
either at the central control/enrollment point, or it may<br />
be located near one or more doors under its control. The<br />
latter is the preferred and most common method. Often,<br />
the remote DCU has considerable storage and logic processing<br />
capacity. In the event communications are broken<br />
between the central control system and the various<br />
DCUs, the DCUs can continue to operate without interruption.<br />
The only persons affected will be those who enroll<br />
just before or during the communications break. In<br />
addition to facilitating the enrollment of a large number<br />
Version 2 – Summer 2008
Section 4 26 The <strong>Biometric</strong> System Design Process<br />
of people, remote DCUs also enable extensive rule processing<br />
to cover holidays, weekends, several shift periods,<br />
and so on.<br />
The negative aspect of a remote DCU is that it often sits<br />
on the inside of the protected space close to the controlled<br />
portal either on a wall or in a false ceiling, but<br />
accessible from the outside by intruders climbing up<br />
through the false ceiling, over the barrier wall, and into<br />
the protected space where they can take control of the<br />
DCU. In structures using false ceilings, special care and<br />
attention has to be made to preclude this type of circumvention.<br />
Structural rules for high security facilities often<br />
prohibit false ceilings and require solid concrete or steel.<br />
d. Request to Exit (RX)<br />
Inside the protected space and near the portal will often<br />
be a device designed to let the electronic strike release<br />
the door. While some doors will be designed so the door<br />
may be simply opened by turning the doorknob, more<br />
secure strikes require an electronic pulse to activate the<br />
release function. RX devices may be anything that can<br />
trigger this pulse. Some RXs are simple infrared or microwave<br />
motion sensors just like the kind that open doors<br />
at the grocery store, some may be a button on the wall<br />
next to the door that must be pushed to open the door,<br />
and some may be pressure pads under the carpet near<br />
the door. These simple RX devices ease exit when one’s<br />
hands are full, but contribute little to security.<br />
A more secure approach is to install a biometric reader<br />
(often identical to that on the exterior of the portal), to<br />
identify the person who is leaving the space or facility.<br />
Version 2 – Summer 2008
<strong>Biometric</strong> <strong>Technology</strong> <strong>Application</strong> <strong>Manual</strong> Section 4 27<br />
This “advanced RX device” records the identity of the<br />
person egressing the space or facility and the biometric<br />
system will not let the person (or credential, at least), enter<br />
any other space or facility until a valid exit event has<br />
occured. (See also the following section on Tailgating.)<br />
When tokens or cards dominated the access control business,<br />
this was known in the trade as an “anti-pass-back”<br />
feature. Today, application of biometric technology<br />
largely avoids the passback practice. Nonetheless, using<br />
biometric devices on the interior of spaces/facilities is<br />
useful and in some cases, critically important. In nuclear<br />
applications for example, it may be essential to know the<br />
location of every individual in near real time in the event<br />
of a life threatening emergency. In security and criminal<br />
investigations it may also be extremely important to be<br />
able to trace, re-trace, or verify the locations and paths of<br />
many individuals.<br />
e. Alarms<br />
Some portal systems may include a local alarm, a remote<br />
alarm, or combination of alarms that sound in the event<br />
of an access violation. Whether to include these is a question<br />
for local resolution and depends on the operating<br />
scenario in which the system is installed.<br />
f. Tailgating<br />
Tailgating occurs when one or more additional people<br />
pass through a portal on the strength of the leading person’s<br />
credentials - with or without that person’s knowledge/consent.<br />
In systems using anti-pass-back measures,<br />
individuals may not depart unless they have used<br />
their credentials (or biometrics) properly to enter. In other<br />
systems where anti-pass-back has not been invoked,<br />
the perils of tailgating are real and can be controlled in<br />
Version 2 – Summer 2008
Section 4 28 The <strong>Biometric</strong> System Design Process<br />
several ways.<br />
The least expensive (and least secure), is to make the subject<br />
of tailgating part of the overall security education<br />
motivation program in the institution, with appropriate<br />
actions and penalties for those who do not comply. Such<br />
a system relies on the integrity and motivation of each<br />
employee or assigned person, so a good enhancement<br />
to this policy would be the installation of CCTV cameras<br />
and video recording systems that would be activated every<br />
time the portal was opened for any reason. Unfortunately,<br />
while this approach might be useful to determine<br />
the identity of the unauthorized tailgaters, it would not<br />
prevent any adverse actions in the meantime.<br />
A method to thwart the human propensity for tailgating<br />
virtually eliminates the opportunity by installing full<br />
height turnstiles which allow only enough revolution for<br />
one person to enter the area at a time. Such devices are<br />
more expensive, but have been installed in numerous facilities,<br />
including nuclear power plants.<br />
A further refinement of this is<br />
the use of a chamber called<br />
a “sally port” (Figure 4-2), in<br />
which only one door may be<br />
open at one time. In certain<br />
extremely high security applications,<br />
such sally ports<br />
have been augmented by<br />
automated weighing (to insure<br />
only one person is pres- Figure 4-2<br />
ent), and use of automated<br />
sniffers to detect the presence of explosives. Naturally,<br />
each component adds to the cost of the controlled portal.<br />
It is a management decision to determine what level<br />
Version 2 – Summer 2008
<strong>Biometric</strong> <strong>Technology</strong> <strong>Application</strong> <strong>Manual</strong> Section 4 29<br />
of security is required by the nature and/or value of the<br />
protected assets within the contolled space.<br />
g. Emergency Precautions<br />
The issue of what to do with controlled doors in the event<br />
of a fire or other emergency where immediate evacuation<br />
is required is a matter of code and policy, not technology.<br />
Most, if not all, security systems fail-safe, that is,<br />
the controlled doors are released so people inside can<br />
leave. If the only control in place is on entry into the protected<br />
facility or room, then egress is a simple matter of<br />
opening the door and leaving. If, on the other hand, both<br />
entrance and egress are electronically controlled, then<br />
releasing the doors for egress, of course, creates a serious<br />
security compromise and must be accommodated<br />
somehow. How it is treated depends very much on local<br />
circumstances and situations beyond the scope of this<br />
manual—or biometrics as a whole for that matter—to<br />
deal with. Those designing any access-controlled portal,<br />
regardless of the technology used, must develop a contingency<br />
plan to implement in the event of such a mishap.<br />
4. Critical Performance Expectations for<br />
an Access Control System<br />
a. Operating Performance<br />
•<br />
User-Interface, Ease of Use<br />
This is a subjective judgement heavily influenced by<br />
“Maximum Time to Enroll”. A user-friendly enrollment<br />
system should be unobtrusive, intuitive, and quick. The<br />
nominal time actually observed to enroll will suggest<br />
Version 2 – Summer 2008
Section 4 30 The <strong>Biometric</strong> System Design Process<br />
the degree to which such a statement is true. The<br />
purchaser may want to ask for a test and demonstration<br />
to determine this factor.<br />
•<br />
Maximum Time to Enroll<br />
This should be expressed in minutes or fractions of minutes.<br />
There should be a rational relationship between the<br />
number of enrollment points, the number of people to<br />
be enrolled and time available to complete enrollments<br />
under normal circumstances. Since Failure to Acquire Errors<br />
are often the consequence of a poor enrollment image,<br />
adequate time must be provided during enrollment<br />
to obtain high quality enrollment images. In larger organizations,<br />
the transition to a biometric system may create<br />
a requirement for a number of temporary enrollment<br />
stations that the vendor may provide gratis or rent for<br />
a short period to expedite the enrollment process. The<br />
vendor’s proposal should include a discussion of this issue.<br />
•<br />
Enrollment Sensitivity<br />
Again, this is a subjective measure best measured by the<br />
Failure to Enroll Rate below.<br />
b. Error Rate Tolerances<br />
•<br />
False Match Error Rate<br />
This is a key factor related to the purchaser’s acceptable<br />
level of risk that is, in turn, a function of a number of legal<br />
and fiduciary responsibilities discussed earlier in this<br />
section.<br />
•<br />
False Non-Match Error Rate<br />
Version 2 – Summer 2008
<strong>Biometric</strong> <strong>Technology</strong> <strong>Application</strong> <strong>Manual</strong> Section 4 31<br />
Any adjustment to the False Match Rate has an inverse<br />
impact on the False Non-Match Rate. Tightening one<br />
will loosen the other, although not necessarily in a linear<br />
relationship. The purchaser should therefore specify a<br />
maximum acceptable False Non-Match Rate at the specified<br />
False Match Rate to preclude acquiring a system that<br />
meets the specified False Match Rate at the expense of<br />
an unacceptable number of False Non-Matches.<br />
•<br />
Maximum Failure to Enroll Rate<br />
Most all biometric systems have some limits on their ability<br />
to enroll certain individuals. Alternative security arrangements<br />
need to be made for these individuals. Proposals<br />
should identify the vendor’s estimate of this type<br />
of error. The purchaser must translate this to an expected<br />
number of enrollment failures and make a management<br />
decision whether this would be an acceptable number in<br />
light of the alternative security arrangements that would<br />
have to be made.<br />
•<br />
Maximum Failure to Acquire Rate (FTA)<br />
During the normal operation of a biometric, many devices<br />
suffer from a “Failure to Acquire” a useful image of<br />
the biometric being used. Examples include a smudged<br />
fingerprint, a poor iris image because the subject moved<br />
during imaging. From an operational perspective, FTA<br />
appears like a False Non-Match with the same consequence.<br />
Often, a higher quality enrollment image will<br />
result in a lower FTA rate. From a security management<br />
perspective, though, users will be indifferent to the actual<br />
reason for rejection: FR or FTA. The consequence is<br />
still the same - rejection. In practice, the combination of<br />
the system’s actual False Non-Match Rate and the FTA together<br />
should not exceed the purchaser’s stated accept-<br />
Version 2 – Summer 2008
Section 4 32 The <strong>Biometric</strong> System Design Process<br />
able False Non-Match Error Rate.<br />
c. Desired System Operating Speed<br />
The nominal or average speed under normal operating<br />
circumstances, expressed as Throughput, or<br />
Throughput Rate, or both:<br />
•<br />
•<br />
Throughput (Transaction time)=Seconds required to<br />
process one person<br />
Throughput Rate=Number of persons processed per<br />
hour or minute<br />
d. Standards Compliance<br />
Section 5 provides a comprehensive review of existing<br />
biometric standards. The Performance and System Specification<br />
should indicate whether products offered in response<br />
to the solicitation need to meet or comply with<br />
published standards.<br />
Version 2 – Summer 2008
<strong>Biometric</strong> <strong>Technology</strong> <strong>Application</strong> <strong>Manual</strong> Section 4 33<br />
5. Examples of Access Control Systems<br />
a. Physical Access Control<br />
Ex a m p l E 1. On E RO O m<br />
Number of Devices: 1<br />
Number of Enrollment Points: 1<br />
Environment: Interior<br />
Version 2 – Summer 2008<br />
Exterior<br />
Climate: Temperature<br />
Humidity<br />
Precipitation<br />
Normal light and sound,<br />
business office.<br />
NA<br />
Interior, N/A<br />
Power Supply: Standard 120 VAC, wall run,<br />
within inches of desired<br />
location<br />
System Interface: N/A<br />
Users: 25<br />
Networking: N/A<br />
Privacy: Low level concern. Access to<br />
data blocked.
Section 4 34 The <strong>Biometric</strong> System Design Process<br />
Ex a m p l E 2. DO O R s in multiplE Bu i lD i n g s O n O n E Ca m p u s<br />
This system comprises three buildings on five acres of<br />
one campus. Twenty-three doors require biometric securing.<br />
Four doors are exterior.<br />
Number of Devices: 23 (19 interior, 4 exterior)<br />
Number of Enrollment Points: 3<br />
Environment: Interior<br />
Exterior<br />
Climate: Temperature<br />
Humidity<br />
Precipitation<br />
Power Supply: Interior<br />
Exterior<br />
Normal light and sound,<br />
business office.<br />
Industrial park. Normal traffic<br />
within 50 feet.<br />
-5F to 105F<br />
20% - 80% RH<br />
14 in. annual rain, 8 in. annual<br />
snow<br />
Standard 120 VAC, wall run,<br />
within inches of desired location<br />
Standard 120 VAC, wall run<br />
behind brick fascia, steel door<br />
frames<br />
System Interface: Fiber optic network with spare<br />
fibers available<br />
Users: 1234<br />
Networking: Necessary. Campus has fiber<br />
backbone installed.<br />
Privacy: Mid-level concern.<br />
Version 2 – Summer 2008
<strong>Biometric</strong> <strong>Technology</strong> <strong>Application</strong> <strong>Manual</strong> Section 4 35<br />
Ex a m p l E 3. DO O R s in multiplE Bu i lD i n g s O n multiplE<br />
Ca m p u s E s<br />
This system comprises twelve buildings on twenty-three<br />
acres of three campuses on a sub-tropical island. One<br />
hundred twenty seven doors require biometric securing.<br />
Fourteen doors are exterior.<br />
Number of Devices: 127 (113 interior, 14 exterior)<br />
Number of Enrollment Points: 8<br />
Environment: Interior<br />
Exterior<br />
Climate: Temperature<br />
Humidity<br />
Precipitation<br />
Power Supply: Interior<br />
Exterior<br />
Version 2 – Summer 2008<br />
Normal light and sound,<br />
business office.<br />
Automobile traffic within 200<br />
yards.<br />
-10F to 95F<br />
40% - 95% RH<br />
34 in. annual rain, 0-2 in. annual<br />
snow<br />
Standard 120 VAC, wall run,<br />
within inches of desired location<br />
Standard 120 VAC, wall run<br />
behind brick or aluminum siding<br />
fascia, steel door frames<br />
System Interface: Fiber optic network with<br />
spare fibers available on two<br />
campuses. Telephone system<br />
on third campus.<br />
Internet/VPN desired for intercampus<br />
communications.<br />
Users: 52,350<br />
Networking: Both LAN and WAN necessary<br />
and available<br />
Privacy: High-level concern.
Section 4 36 The <strong>Biometric</strong> System Design Process<br />
Ex a m p l E 4. DO O R s a n D ma C h i nE R y O n nu m E R O u s sm a l l<br />
si t E s natiOnwiDE (ga s st at i O n s)<br />
This system comprises 1,875 buildings and 11,244 pumps<br />
nationwide, plus a national headquarters building. All<br />
buildings and pumps require a biometric-controlled lock.<br />
All doors and pumps doors are exterior.<br />
Number of Devices: 11,245, all exterior except HQ<br />
enrollment point.<br />
Number of Enrollment Points: 1,876<br />
Environment: Interior<br />
Exterior<br />
Climate: Temperature<br />
Humidity<br />
Precipitation<br />
Power Supply: Interior<br />
Exterior<br />
Normal light and sound,<br />
business office (HQ enrollment<br />
point).<br />
Automobile traffic within onethree<br />
feet of pumps, three-six<br />
feet from doors.<br />
National weather. Determine by<br />
site location.<br />
Standard 120 VAC, wall run,<br />
within inches of desired location<br />
Standard 120 VAC, conduit<br />
run within three feet of device<br />
location<br />
System Interface: All sites have standard POTS<br />
telephone service available.<br />
Internet/VPN desired for intercampus<br />
communications.<br />
Users: 5,600<br />
Networking: Recommended. VPN or Internet.<br />
Privacy: Mid-level concern.<br />
Version 2 – Summer 2008
<strong>Biometric</strong> <strong>Technology</strong> <strong>Application</strong> <strong>Manual</strong> Section 4 37<br />
b. Logical (virtual) access control<br />
If this is a virtual domain; that is, an information system or<br />
process based on an information system, is it:<br />
•<br />
•<br />
A stand-alone computer:<br />
–<br />
–<br />
How many?<br />
How many users per workstation?<br />
A networked system?<br />
–<br />
–<br />
Number of workstations<br />
Number of users?<br />
This will describe in exact detail the number of devices<br />
as well as the location and function of each biometric device<br />
in the proposed system, as well as the location and<br />
number of enrollment points.<br />
Version 2 – Summer 2008
Section 4 38 The <strong>Biometric</strong> System Design Process<br />
Ex a m p l E 1. st a n D-a l O n E DE s k t O p s a n D la p t O p s f O R sm a l l<br />
Bu s i n E s s<br />
Company owns 25 desktops and 15 laptop computers.<br />
Desktops are not networked together. The owner wants<br />
these to be biometrically secured.<br />
Number of Devices: 40 (25 desktop, 15 laptop)<br />
Number of Enrollment Points: 1<br />
System Interface: Not Required<br />
Environment: Standard office configuration.<br />
Access to office space is<br />
controlled by lock and key at one<br />
door to common hallway.<br />
Users: 75<br />
Networking: Necessary<br />
Privacy: Low-level concern<br />
Version 2 – Summer 2008
<strong>Biometric</strong> <strong>Technology</strong> <strong>Application</strong> <strong>Manual</strong> Section 4 39<br />
Ex a m p l E 2. nE t wO R kE D DE s k t O p s a n D DEplOyaBlE la p t O p s<br />
f O R Bu s i n E s s<br />
Company owns 125 desktops in one location and 25 laptop<br />
computers. Desktops are networked together. When<br />
present in the office space, laptops can also plug into<br />
LAN. When not in an office, laptops are normally used in<br />
hotels, conference rooms, etc. on the road.<br />
Number of Devices: 13,305 (12053 desktop, 25 laptop)<br />
Number of Enrollment Points: 2<br />
System Interface: Secure LAN interface and control<br />
required. Fiber network in place.<br />
Environment: Standard office configuration.<br />
Most desktops are in locked<br />
offices. Access to office space is<br />
controlled by lock and key at one<br />
door to common hallway.<br />
Users: 250<br />
Networking: Yes<br />
Privacy: Mid-level concern<br />
Version 2 – Summer 2008
Section 4 40 The <strong>Biometric</strong> System Design Process<br />
Ex a m p l E 3. nE t wO R kE D DE s k t O p s a n D DEplOyaBlE la p t O p s<br />
f O R la R g E, gl O B a l Bu s i n E s s<br />
Company owns 12,053 desktops in multiple locations<br />
and 1,252 laptop computers. Company HQ is in New<br />
York with major offices in five large cities abroad. Desktops<br />
are networked together internationally. When present<br />
in the office space, laptops can also plug into LAN.<br />
When not in an office, laptops are normally used in hotels,<br />
conference rooms, etc. on the road. One common<br />
system desired.<br />
Number of Devices: 150 (12,053 desktop, 1,252<br />
laptop)<br />
Number of Enrollment Points: 6<br />
System Interface: Secure LAN interface and control<br />
required. Fiber network in place.<br />
Environment: Standard office configurations.<br />
Configurations vary from<br />
location to location from open<br />
bays, cubicles, and locked<br />
offices.<br />
Users: 16,700<br />
Networking: Yes. VPN and/or Internet<br />
Privacy: High-level concern<br />
Each of these examples has different operational challenges<br />
and solutions. Vendors will need to carefully examine<br />
the desired system details to confirm their ability<br />
to comply with the specification.<br />
Version 2 – Summer 2008
<strong>Biometric</strong> <strong>Technology</strong> <strong>Application</strong> <strong>Manual</strong> Section 4 41<br />
c. Examples of Combined Domains<br />
In the case of a combination of physical and virtual domains<br />
with an expectation that the two will work more<br />
or less interactively, the sytem specifier must:<br />
•<br />
•<br />
Describe each domain in detail.<br />
Describe the anticipated link between the two<br />
domains.<br />
Ex a m p l E 1. DO O R s a n D in f O R m a t iO n sy s t E m s a t nu m E R O u s<br />
sm a l l si t E s natiOnwiDE (fa s t fO O D si t E s)<br />
This system comprises 1,875 buildings and 1,875 desktop<br />
computers on as many sites nationwide, plus a national<br />
headquarters building. All buildings rquire a biometriccontolled<br />
lock. All doors are exterior. All computers are<br />
interior.<br />
Version 2 – Summer 2008
Section 4 42 The <strong>Biometric</strong> System Design Process<br />
ph y s iC a l DO m a i n<br />
This system comprises three buildings on five acres of<br />
one campus. Twenty-three doors require biometric<br />
securing. Four doors are exterior.<br />
Number of Devices: 1875, all exterior except HQ<br />
enrollment point.<br />
Number of Enrollment Points: 1876<br />
Environment: Interior<br />
Exterior<br />
Climate: Temperature<br />
Humidity<br />
Precipitation<br />
Power Supply: Interior<br />
Exterior<br />
Normal light and sound,<br />
business office (HQ enrollment<br />
point).<br />
Automobile traffic within 10<br />
feet of doors..<br />
National Weather. Determine<br />
by site location.<br />
Standard 120 VAC, wall run,<br />
within inches of desired<br />
location<br />
Standard 120 VAC, conduit run<br />
within 3 feet of device location<br />
System Interface: All sites have standards POTS<br />
telephone service available.<br />
Internet/VPN desired for intercampus<br />
communications.<br />
Users: 2100<br />
Networking: Yes<br />
Privacy: Mid-level concern<br />
Version 2 – Summer 2008
<strong>Biometric</strong> <strong>Technology</strong> <strong>Application</strong> <strong>Manual</strong> Section 4 43<br />
Virtual Domain<br />
Number of Devices: 1875 desktop computers<br />
Number of Enrollment Points: 1<br />
System Interface: Secure LAN interface and<br />
control required. Standard<br />
POTS telephone service at all<br />
sites..<br />
Environment: Standard fast food restaurant<br />
configuration: cooking area,<br />
customer area, and small office<br />
location of computer.<br />
Users: 2100<br />
Networking: Yes<br />
Privacy: Mid-level concern<br />
Version 2 – Summer 2008
<strong>Biometric</strong> <strong>Technology</strong> <strong>Application</strong> <strong>Manual</strong> Section 5 1<br />
Section 5: <strong>Biometric</strong> Standards<br />
Structure of <strong>Biometric</strong> Standards<br />
Introduction<br />
In order to understand how the different types of biometric<br />
standards fit together, it is useful to review the overall<br />
structure of biometric standard both visually (diagrammatically)<br />
as well as in a narrative. The structure shown<br />
in Figure 5-1 is commonly called an “Onion Diagram”. It<br />
shows biometric standards as a series of layers, starting<br />
with the heart of the onion and the inner three layers,<br />
all in blue, connoting those standards of most direct relevance<br />
to biometric system developers and users. The<br />
next layer (gray), deals with the interfaces which link the<br />
biometric components to the rest of the application - access<br />
control, watch list, or financial. Then there are the<br />
outer two layers (orange) which define how to deal with<br />
biometrics in terms of privacy, legal issues, and even the<br />
language used to describe them. Finally, there are the<br />
thin shells that separate and surround each layer..<br />
These layers represent the conformance standards which<br />
describe exactly how adherence to each of the other<br />
standards can be measured. Each of the other standards<br />
that sets out specific measurable requirements in its<br />
conformance clauses will need a corresponding conformance<br />
testing methodology standard. Without a separate<br />
conformance standard, it is difficult to know if any<br />
implementation of a given standard is correct, and that<br />
is why conformance permeates the entire onion, giving it<br />
structure and support.<br />
Version 2 – Summer 2008
Section 5 2 <strong>Biometric</strong> Standards and Best Practices<br />
Notes on the “Onion Diagram”: Don’t be intimidated<br />
by the designations and acronyms on the right side of<br />
the diagram. These are merely the international SC’s<br />
(SubCommittees), WGs, (Working Groups), and the<br />
U.S. technical committees’ TG’s (Task Groups M1.2<br />
- M1.6) responsible for development of the standards.<br />
The detail of these organizations and their functions<br />
will be explained later in this section, but if you wish,<br />
feel free to jump ahead and get a broader view of the<br />
standards world as you work through Figure 5-1.<br />
Data Interchange Formats<br />
The inner core of the onion is the biometric data interchange<br />
formats. These standards define the basic format<br />
of biometric images or templates and tell the technology<br />
manufacturers how to format data from their systems or<br />
interpret data coming into their systems. Each biometric<br />
modality (face, finger, iris, vein, hand, etc.) needs at<br />
least one of these standards to allow interoperability of<br />
data produced by different systems using that modality.<br />
If no other biometric standards existed, some reasonable<br />
measure of interoperability could still be achieved<br />
using the standards in this layer, which is why they form<br />
the heart of the onion. In some cases, different technologies<br />
using a given modality may also need their own<br />
standard. In ISO/IEC JTC 1 SC 37, for instance, there are<br />
data interchange format standards being developed for<br />
finger image (a raw or possibly intermediate biometric<br />
sample) and for three types of processed biometric samples:<br />
finger minutiae, finger pattern spectral, and finger<br />
pattern skeletal. This reflects the maturity of the fingerprint<br />
market with multiple technologies available to process<br />
the raw biometric data. In an ideal world, each modality<br />
would only use a single universal standard based<br />
on processed data, but while this might be beneficial for<br />
Version 2 – Summer 2008
<strong>Biometric</strong> <strong>Technology</strong> <strong>Application</strong> <strong>Manual</strong> Section 5 3<br />
interoperability, it could inhibit the development of new<br />
technological advancements and reduce absolute performance.<br />
Logical Data Structure<br />
The next layer is the logical data structure or exchange<br />
format framework that is used to wrap the biometric data<br />
so that systems receiving a file know how to interpret the<br />
different data fields that might be associated with the<br />
biometric data. These could include demographic information<br />
or a digital signature to verify the data packet<br />
has not been tampered with. CBEFF (Common <strong>Biometric</strong><br />
Exchange File Format) is currently the most important<br />
standard in this layer (see CBEFF in Section 2, Terms and<br />
Definitions Related to <strong>Biometric</strong>s and a detailed explanation<br />
later in this Section under Current Work in <strong>Biometric</strong><br />
Standards Development.) The work of OASIS on the<br />
XCBF is also part of this layer, although it does address<br />
some of the security issues outlined in the next layer.<br />
Version 2 – Summer 2008
Section 5 4 <strong>Biometric</strong> Standards and Best Practices<br />
Data Security<br />
Once the core biometric data in a standardized form<br />
has been wrapped in a standardized file format, it is<br />
likely necessary to protect the data. This may involve<br />
the use of digital signatures in the CBEFF, as discussed<br />
previously, or the specification of a secure transmission<br />
protocol such as HTTPS to transer the XCBF compliant<br />
XML data. There are numerous encryption schemes<br />
that can be used, including traditional encryption<br />
which simply treats the biometric data as another<br />
payload, and biometric encryption, where the biometric<br />
characteristic is used in the encryption algorithms<br />
and thus not considered ready for general use.<br />
Standardization in these areas is a matter for security<br />
and cryptography experts and falls under the purview of<br />
ISO/IEC JTC 1 SubCommittee 27 “IT Security Techniques”.<br />
System Properties<br />
The next layer involves the properties of the biometric<br />
system. One of these is the performance of the biometric<br />
system, which is absolutely fundamental to deployment<br />
decisions. If the biometric system cannot enroll a sufficient<br />
percentage of the target population or if its ability<br />
to correctly match biometric samples from the same<br />
person without falsely matching samples from different<br />
people is insufficient, then the system is unsuitable for<br />
deployment. Significant progress has been made in advancing<br />
biometric performance testing standards, both<br />
in the United States and internationally, during the last<br />
few years and several standards will be ready to publish<br />
in the near future. One particularly important subset of<br />
performance testing, where work is still ongoing, is interoperability<br />
testing. One of the key purposes of biometric<br />
standards is to allow interoperability among com-<br />
Version 2 – Summer 2008
<strong>Biometric</strong> <strong>Technology</strong> <strong>Application</strong> <strong>Manual</strong> Section 5 5<br />
ponents and systems involving biometrics. Performance<br />
based interoperability testing is important because it<br />
documents not only that two systems can work together<br />
but how well they work together - a critical issue for system<br />
design and procurement decisions.<br />
Security evaluation standardization is also important. It<br />
permits methodologies to be developed by which biometric<br />
systems can be evaluated so that their security<br />
level is well established, rather than being the subject<br />
of vendor claims or uncertain testing. Once again, this<br />
falls under the mandate of groups such as SC 27 or X9,<br />
but in this case there is a definite need for advice from<br />
biometrics experts. That is because one of the critical<br />
items in defining overall system security is the performance<br />
of the biometrics itself. Extensive liaisons now exist<br />
between SC 37 and SC 27, especially on “ISO 19792 - A<br />
framework for security evaluation and testing of biometric<br />
technology”.<br />
The final area of biometric system properties is the specification<br />
of any explicit properties that are required for a<br />
particular application domain. This can be done through<br />
a biometric profile, such as those being developed for<br />
airport employees and seafarers in SC 37 or those already<br />
published for transportation workers and border<br />
management in the United States. It can also be accomplished<br />
through additional specifications from an end<br />
user organization that will supplement the base standards.<br />
ICAO has chosen this route, as has ILO for its first<br />
round of the Seafarers’ Identity Document, although ILO<br />
is also participating in the SC 37 development of a corresponding<br />
profile for seafarers. There will need to be<br />
a reasonable number of biometric application profiles<br />
developed during the next few years as biometric standards<br />
and the biometrics market mature and as applica-<br />
Version 2 – Summer 2008
Section 5 6 <strong>Biometric</strong> Standards and Best Practices<br />
tions proliferate. Eventually, however, new application<br />
areas should be able to use one of the existing profiles<br />
with little or no modifications.<br />
Interfaces<br />
<strong>Biometric</strong> interfaces form the next layer of the onion<br />
(gray). These are interfaces between the core biometric<br />
systems, represented by the inner four layers of the<br />
onion and the outside world. Foremost among them is<br />
BioAPI, but there are now other interface standards under<br />
development that will significantly expand the scope<br />
of the current BioAPI. Most of the new work is taking<br />
place within SC 37 and features amendments to BioAPI<br />
2.0 to support GUI control and data archiving. There is<br />
also work on a <strong>Biometric</strong> Interworking Protocol to allow<br />
BioAPI systems on different computers to communicate<br />
and work together, as well as smaller version of BioAPI<br />
that is specifically designed for constrained systems with<br />
low memory and/or processing power. The M1.2 Task<br />
Group of M1 has led the way in the United States with<br />
publication of ANSI INCITS 358-2002/AM1-2007, which<br />
amends the BioAPI specification by adding support for<br />
multibiometrics or biometric fusion. As these standards<br />
develop, it is important that proper coordination between<br />
the biometrics experts and the experts in other<br />
areas of information technology, exist to ensure that the<br />
technical interfaces being developed adequately reflect<br />
modern system design principles and requirements.<br />
Vocabulary<br />
The final two layers of the onion (orange), represent the<br />
outside world and how to deal with biometrics as a general<br />
subject. A harmonized biometric vocabulary allows<br />
different groups to avoid miscommunication when dis-<br />
Version 2 – Summer 2008
<strong>Biometric</strong> <strong>Technology</strong> <strong>Application</strong> <strong>Manual</strong> Section 5 7<br />
cussing biometrics. This is important in harmonizing the<br />
language used in all of the other standards’ documents,<br />
but it also plays a role in simplifying the deployment of<br />
biometric sytems. Unfortunately, progress in developing<br />
a harmonized vocabulary remains slow. There are definite<br />
linguistic and usage issues which separate various<br />
groups within SC 37 and even within the United States.<br />
Fortunately, general industry practice has accepted particular<br />
usages of certain terms, so that even if they are not<br />
agreed upon in a standard, there is de facto agreement<br />
outside the standards’ process. In the meantime, both<br />
M1 and SC 37 will continue work on vocabulary issues.<br />
Societal and Cross-Jurisdictional Issues<br />
Societal and cross-jurisdictional issues involve the impact<br />
of biometrics on privacy, health, safety and other<br />
similar areas. SC 37 is studying standardization of these<br />
areas internationally and M1 is participating to represent<br />
U.S. interests. Within each country or region there are different<br />
legislative issues and public perceptions that may<br />
influence how biometrics are used. The key goal here is<br />
develop a standardized way of measuring or managing<br />
these issues and, if possible, a set of minimum guidelines<br />
that can achieve sufficient consensus to be internationally<br />
standardized. The international standards in this area<br />
will be particularly important for the deployment of large<br />
scale cross-border systems, as proposed by ICAO or ILO<br />
for instance. It is not an easy task, though, to achieve international<br />
consensus on these issues.<br />
Conformance Testing<br />
Finally, surrounding and pervading the entire onion is<br />
the issue of conformance testing standards. Most standards<br />
in the other areas enumerated previously do not<br />
Version 2 – Summer 2008
Section 5 8 <strong>Biometric</strong> Standards and Best Practices<br />
provide any formal way of certifying that a particular<br />
technology or product conforms to the standard. There<br />
are exceptions. Certain standards, such as vocabulary,<br />
do not require conformance testing. Others, such<br />
as biometric profiles, rely on the conformance testing<br />
standards associated with the base standards they reference,<br />
combined with the application specific guidance<br />
they provide. Thus, they do not need a separate conformance<br />
testing standard. The vast majority of standards,<br />
however, do benefit from a detailed conformance testing<br />
standard, and this is an area where significant work<br />
is now underway both in M1 and SC 37. A small number<br />
of conformance testing standards have been published<br />
- specifically ANSI INCITS 429-2007 and ISO 24709, which<br />
provide standardized methods of determining whether<br />
a software system conforms to the BioAPI standard. Significant<br />
progress in the overall understanding of how<br />
conformance testing biometric products and systems<br />
has been achieved and of the number of conformance<br />
standards are on the horizon.<br />
Conformance testing standards have another benefit. In<br />
addition to ensuring that individual products or systems<br />
conform to a base standard, they can reveal problems in<br />
the base standard itself. It may have too many optional<br />
features so that multiple products that are conformant<br />
with a standard designed to promote interoperability<br />
are not actually interoperable with each other. Alternatively,<br />
the standard could be written so loosely that it is<br />
subject to interpretation, and vendors may believe their<br />
products conform to the standards when, in reality, they<br />
do not. Conformance testing standards provide: a set of<br />
specific testing methodologies that vendors or third party<br />
testing laboratories can use to test the conformance of<br />
individual products to a particular standard. Thus, most<br />
of the problems mentioned above will be revealed as the<br />
Version 2 – Summer 2008
<strong>Biometric</strong> <strong>Technology</strong> <strong>Application</strong> <strong>Manual</strong> Section 5 9<br />
conformance testing standard is developed. Indeed, numerous<br />
minor problems have been revealed in the first<br />
generation of M1 and SC 37 standards due to recent work<br />
on both conformance and interoperability testing, and<br />
projects are now underway to improve these standards.<br />
The Importance of <strong>Biometric</strong> Standards<br />
<strong>Biometric</strong> technologies have the potential to become<br />
the foundation of an extensive array of highly secure<br />
identification and personal verification solutions. In addition<br />
to supporting homeland security and preventing<br />
ID fraud, biometric-based systems are able to provide for<br />
confidential financial transactions and personal data privacy.<br />
Enterprise-wide network security infrastructures,<br />
employee IDs, secure electronic banking, investing and<br />
other financial transactions, retail sales, law enforcement,<br />
and health and social services are already benefiting from<br />
these technologies. Before that potential can be fully realized,<br />
however, a comprehensive array of standards will<br />
be necessary to ensure that information technology systems<br />
and applications are interoperable, scalable, usable,<br />
reliable, and secure.<br />
For any given technology, the development of industry<br />
standards assures the availability of multiple sources of<br />
comparable products in the marketplace. It also ensures<br />
uniformity of certain processes to enable communication<br />
and data exchange between systems. Further, it<br />
provides an accepted series of metrics by which vendor’<br />
claims can be judged.<br />
In the past, the biometric industry has been characterized<br />
by a mass of small, highly competitive companies,<br />
each with the desire to promote its own proprietary technology.<br />
This “marketing orientation” often outweighed<br />
Version 2 – Summer 2008
Section 5 10 <strong>Biometric</strong> Standards and Best Practices<br />
the desire to see the entire biometric sector benefit from<br />
increased standardization. In recent years, however, the<br />
biometric industry has begun to build consensus-based<br />
industry standards.<br />
The underlying goal in developing biometric standards<br />
is to make systems that include biometric technology<br />
easier and more reliable to deploy and maintain. Basically,<br />
the existence of standards lowers risk. According to<br />
Fernando Podio, co-chairman of the <strong>Biometric</strong> Consortium<br />
and a program manager at the National Institute of<br />
Standards and <strong>Technology</strong> (NIST), biometric standards<br />
“are needed and expected by many end-users.,” “Without<br />
open standards, you cannot really achieve interoperability.”<br />
Vendor lock-in makes it much more difficult to interpret<br />
other biometric technologies, make upgrades, swap one<br />
technology for another, or integrate more than one biometric<br />
technology into a single system. Enterprise systems<br />
and applications based on consensus biometric<br />
standards are more likely to be interoperable, scalable,<br />
usable, reliable, secure, and economical than proprietary<br />
systems.<br />
The biometric industry is still evolving, developing new<br />
technologies and solving technical issues. In addition to<br />
technological issues, there are standards issues impacting<br />
that evolution.<br />
Version 2 – Summer 2008
<strong>Biometric</strong> <strong>Technology</strong> <strong>Application</strong> <strong>Manual</strong> Section 5 11<br />
Issue: While some progress has been made in development<br />
of testing standards, it has been, in general,<br />
broad areas relative to testing such as Principles and<br />
Framework and specifying those “P’s & F’s” for the three<br />
main areas of testing: <strong>Technology</strong>, Scenario, and Operational<br />
(see paragraph on M1.5 below). There are currently<br />
no approved national or international standards<br />
for measuring and reporting the accuracy of specific<br />
biometric modalities in an area of testing. Indeed, despite<br />
tremendous effort by the standards development<br />
community, there is not yet agreement on taxonomy<br />
of biometric applications - the closest the industry has<br />
come is an international Technical Report on modalityspecific<br />
testing that attempts to define taxonomy of<br />
biometric applications so that different testing methods<br />
can be specified where appropriate.<br />
Impact: The lack of established scientific standards for<br />
comparing the accuracy of different biometric products<br />
known as “performance testing standards” results<br />
in marketplace confusion and makes the job of comparing<br />
biometric products extremely difficult. Currently,<br />
it is essentially impossible to scientifically compare<br />
the accuracy of different biometric products in a repeatable<br />
manner. <strong>Biometric</strong> product consumers currently<br />
have no scientifically developed, agreed-upon<br />
methods to determine how well the biometric products<br />
they buy, or are considering, actually work.<br />
Version 2 – Summer 2008
Section 5 12 <strong>Biometric</strong> Standards and Best Practices<br />
Issue: As of mid-2008, only two national standards existed<br />
for evaluating whether a product that claims to<br />
support a biometric standard actually conforms to the<br />
standard. One gives broad, general guidance (ANSI<br />
INCITS 423.1-2008 “Generalized Conformance Testing<br />
Methodology”), and the other is specific for the BioAPI<br />
(ANSI INCITS 429-2007 “Conformance Testing Methodology<br />
for INCITS 358-2002 BioAPI Specification”).<br />
Impact: The lack of established conformance testing<br />
standards results in an inability to verify that a commercial<br />
product conforms to a standard, such as Bio-<br />
API, and thus makes it impossible to guarantee the<br />
interoperability of the product with other biometric<br />
products or system components.<br />
The consequences of using technologies that are not<br />
compliant with standards’ bodies are twofold: 1) the<br />
products in question will most likely not interoperate<br />
with the products of competing vendors and 2) the<br />
products in question may not interface with other portions<br />
of the applications.<br />
Example: Using biometrics at a bank. The security department<br />
of a bank wants increased accountability and<br />
a solid audit trail for determining who accesses various<br />
files, accounts, or even the safe. The IT department of<br />
the bank wants to reduce help desk cost for password<br />
resets and other administrative functions dealing with<br />
user identity. The bank has many branches that are geographically<br />
dispersed, and a variety of users (employees)<br />
of difference in age, gender, dispositions, etc. With any<br />
technology, there will be a small percentage of the user<br />
population who cannot or will not use it.<br />
Version 2 – Summer 2008
<strong>Biometric</strong> <strong>Technology</strong> <strong>Application</strong> <strong>Manual</strong> Section 5 13<br />
An important point concerning standards-compliant<br />
biometric technologies is that they can be mixed-andmatched.<br />
If there is a particular biometric technology<br />
that one segment of the user population cannot use,<br />
then a different biometric technology can be incorporated<br />
to accomodate these variations. Standards-based<br />
biometric technologies and systems will be versatile and<br />
flexible, whereas proprietary systems that do not comply<br />
with industry standards may not be.<br />
Additionally, standards-based biometric systems allow<br />
enrollment on one system, for example, and matching on<br />
another. File interchange formats allow data interchange<br />
so an enrollment on System A at Location C can be recognized<br />
and matched on System B at Location D.<br />
Example: Using biometrics at military installation 45 A<br />
small office of workstations or a single access gate to a<br />
military installation presently use biometrics on a small<br />
scale. In such situations, there could be a future requirement<br />
or mandate for those resources (e.g., workstations<br />
or gates) into a larger regional system. If the products<br />
in question are not standards-based, then integrating<br />
local systems into a large regional system at a later date<br />
will likely require a costly and operationally disruptive replacement<br />
of technology.<br />
45 Example extracted from U.S. Department of Defense <strong>Biometric</strong>s<br />
Standards Development Recommended Approach, <strong>Biometric</strong>s<br />
Management Office. September 2004.<br />
Version 2 – Summer 2008
Section 5 14 <strong>Biometric</strong> Standards and Best Practices<br />
Current Work in <strong>Biometric</strong> Standards<br />
Development<br />
Note on currency: As with any effort to provide information<br />
about a proces which is moving forward and evolving,<br />
“currency” becomes a relative term. It is especially so in<br />
the area of standards, where standards bodies are meeting<br />
four to six times annually and there are upwards of 20 projects<br />
being discussed at any given time. “Emerging” (not<br />
yet published), standards can transition to “Published”<br />
overnight. While the references to specific standards and<br />
projects underway are as current as we know today, the<br />
most current information in the future can be found on<br />
the NBSP Web site at: http://www.nationalbiometric.org/.<br />
There are several groups, both national and international,<br />
that are playing major roles in the development of standards<br />
for biometric technologies. The remainder of this<br />
section will summarize the activities of the major groups<br />
at both the national and international levels. Because of<br />
the plethora of new biometric standards activities, this<br />
list should not be considered exhaustive. To simplify the<br />
analysis, the standards-developing groups are classified<br />
into three broad categories:<br />
1.<br />
2.<br />
3.<br />
Government appointed standards development<br />
bodies (e.g., ISO, ANSI, NIST)<br />
Industry and other consortia (e.g., BioAPI Consortium,<br />
OASIS)<br />
End users (e.g., ICAO, ILO)<br />
Groups in the first category try to develop standards in<br />
accordance with their government appointed mandates,<br />
either to achieve the overall economic benefit that re-<br />
Version 2 – Summer 2008
<strong>Biometric</strong> <strong>Technology</strong> <strong>Application</strong> <strong>Manual</strong> Section 5 15<br />
sults from standardization or to fulfill specific legislative<br />
mandates such as those of the U.S. PATRIOT Act.<br />
Groups in the second category attempt to develop standards<br />
that support the aims of their membership. While<br />
these generally align with the overall goal of enhancing<br />
standardization, individual consortia may have narrow<br />
aims, so there are often gaps or overlaps between the<br />
standards development work of the various consortia<br />
that can lead to confusion.<br />
Finally, the third category of groups develops specific<br />
standards related to a particular technology application<br />
that is within its domain. In an ideal world, these end user<br />
groups would be able to reference general standards developed<br />
by the other groups and apply them to their domains.<br />
International Standards Organizations<br />
There are standards groups throughout the world that<br />
seek to fulfill their mandates in the same way U.S. groups<br />
do. There are also regional groups such as the European<br />
Committee for Standardization, which has an Information<br />
Society Standardization System (CEN/ISSS) whose<br />
mandate includes building a European consensus on IT<br />
standards. The most relevant bodies for U.S. consideration,<br />
however, are those which set global standards, as<br />
they will have the most impact and provide the best opportunity<br />
for U.S. participation.<br />
International Organization for Standardization<br />
(ISO)—ISO is the world’s largest developer of standards.<br />
It is composed of representatives from the national standards<br />
bodies of 148 countries, with a central secretariat<br />
Version 2 – Summer 2008
Section 5 16 <strong>Biometric</strong> Standards and Best Practices<br />
based in Geneva, Switzerland, that coordinates activities.<br />
Although ISO is primarily composed of national standards<br />
bodies, the representatives from these bodies may<br />
be from either government or industry sectors, and there<br />
are external groups that hold liaison status with ISO. Several<br />
committees within ISO are at least partly involved in<br />
biometric standards development.<br />
International Electrotechnical Commission (IEC)—The<br />
IEC was one of the first international standards bodies to<br />
exist, being founded in 1906, predating ISO by 41 years.<br />
Its mandate is to prepare and publish international standards<br />
for all electrical, electronic, and related technologies.<br />
ISO/IEC Joint Technical Committee 1 (JTC 1)—In<br />
1987, the International Organization for Standardization<br />
(ISO) and the International Electrotechnical Commission<br />
(IEC) formed the Joint Technical Committee 1 (JTC 1) on<br />
Information <strong>Technology</strong> (IT) to develop and promote IT<br />
standardization and thereby meet the global demands<br />
of businesses and users. The ISO/IEC JTC 1 created a series<br />
of SubCommittees (SCs).<br />
• SC 17 is responsible for cards and personal identification<br />
and particularly focused on the application of<br />
biometrics to smart cards and travel documents.<br />
• SC 27 is responsible for IT security techniques and<br />
focused on security issues surrounding biometrics<br />
and the evaluation of the security implications of<br />
biometrics.<br />
SC 37<br />
• has the primary responsibility for biometrics<br />
standards in the international arena.<br />
Version 2 – Summer 2008
<strong>Biometric</strong> <strong>Technology</strong> <strong>Application</strong> <strong>Manual</strong> Section 5 17<br />
ISO/IEC JTC 1 SC 37 on biometrics was established in<br />
June 2002. The formation of JTC 1 SC 37 was initiated<br />
and championed by the United States. The establishment<br />
of JTC 1 SC 37 provides an international venue to<br />
accelerate and harmonize formal international biometric<br />
standarization. Such harmonization will ensure that future<br />
standards-based systems and applications are more<br />
interoperable, scalable, reliable, usable, and secure.<br />
At the international level, SC 37 has become a vital force<br />
in biometric standards development activities. SC 37<br />
formed to ensure rapid and comprehensive development<br />
of biometric standards at the international level,<br />
while minimizing overlap with work in SC 17 and SC 27.<br />
The scope of this work is defined as “Standardization of<br />
genetic biometric technologies pertaining to human beings<br />
to support interoperability and data interchange<br />
among applications and systems. Generic human biometric<br />
standards include: common file frameworks; biometric<br />
application programming interfaces; biometric data interchange<br />
formats; related biometric profiles; application of<br />
evaluation criteria to biometric technologies; methodologies<br />
for performance testing and reporting and cross jurisdictional<br />
and societal aspects.” 46<br />
SC 37 has several subordinate Work Groups (WGs) that<br />
address different aspects of biometric standards development.<br />
These include:<br />
•<br />
•<br />
WG 1 – Standards for <strong>Biometric</strong> Vocabulary<br />
WG 2 – Standards for Technical interfaces<br />
46 According to ISO/IEC JTC 1 SC 37<br />
Version 2 – Summer 2008
Section 5 18 <strong>Biometric</strong> Standards and Best Practices<br />
•<br />
•<br />
•<br />
•<br />
WG 3 – Standards for Data Exchange Formats<br />
WG 4 – Standards for <strong>Biometric</strong> Profiles<br />
WG 5 – Standards for Performance Testing and<br />
Reporting<br />
WG 6 – Standards for Cross-jurisdictional and<br />
Societal Aspects<br />
Effectively, SC 37 is the international counterpart of<br />
INCITS M1 47 within the United States., and its areas of<br />
work map closely to those activities supported by M1.<br />
<strong>Biometric</strong> standards developed in the United States must<br />
be coordinated with an international forum.<br />
INCITS (International Committee for Information<br />
<strong>Technology</strong> Standards)—INCITS is the primary U.S. standardization<br />
body in the field of information and communications<br />
technologies. This includes information<br />
storage, processing, transfer, display, management, organization,<br />
and retrieval. INCITS has a number of Technical<br />
Committees (TCs) that lead standards development efforts<br />
in various areas. In fact, there are more than 30 TCs<br />
within INCITS, including several that touch on biometric<br />
standards. The TC that focuses most prominently on the<br />
development of biometric standards is known as M1.<br />
INCITS Technical Committee M1 <strong>Biometric</strong>s—INCITS<br />
M1 is the U.S. Technical Advisory Group (TAG) to ISO/IEC<br />
JTC 1 SC 37 – <strong>Biometric</strong>s. M1 was established to ensure<br />
a high priority, focused, and comprehensive approach<br />
in the United States for the rapid development and ap-<br />
47 See INCITS Technical Committee M1 <strong>Biometric</strong>s<br />
Version 2 – Summer 2008
<strong>Biometric</strong> <strong>Technology</strong> <strong>Application</strong> <strong>Manual</strong> Section 5 19<br />
proval of formal national and international biometric<br />
standards for biometric data interchange and interoperability.<br />
These standards are considered to be critical for<br />
U.S. needs, such as homeland defense, the prevention of<br />
identity theft, and for other government and commercial<br />
applications based on biometric personal authentication.<br />
As INCITS is the TAG to ISO/IEC JTC 1, M1 is the<br />
TAG to its counterpart in the international arena, JTC 1<br />
subcommittee SC 37 - <strong>Biometric</strong>s, which is developing a<br />
similar portfolio of standards.<br />
Since its founding in November 2001, M1 has been the<br />
primary U.S. focus for formal biometric standards development<br />
and carries the U.S. position to the primary international<br />
biometric standards group. The current program<br />
of work includes technical interfaces between biometrics<br />
and other system components, data interchange formats,<br />
biometric application profiles, performance testing and<br />
reporting, multi-biometric systems, cross jurisdictional<br />
and societal issues, and conformance testing for these<br />
various standards.<br />
Currently, there are five Task Groups within M1. Task<br />
Groups are established with a long-term, permanent view<br />
and do not require periodic reauthorization to conduct<br />
business. They maintain formal memberships, separate<br />
from the full M1 plenary Technical Committee and have<br />
their own officers. They have the right to make decisions<br />
on those within their purview, although these decisions<br />
are formally reviewed/approved and can always be overruled<br />
by the M1 plenary.<br />
These Task Groups include:<br />
• M1.2—<strong>Biometric</strong> Technical Interfaces— This task<br />
Version 2 – Summer 2008
Section 5 20 <strong>Biometric</strong> Standards and Best Practices<br />
group covers the standardization of all necessary interfaces<br />
and interactions between biometric components<br />
and sub-systems, including the possible use of<br />
security mechanisms to protect stored data and data<br />
transferred between systems. Completed projects to<br />
date include:<br />
–<br />
–<br />
–<br />
The formal standardization and maintenance of<br />
the Common <strong>Biometric</strong> Exchange File Format<br />
(CBEFF) (ANSI INCITS 398-2008).<br />
<strong>Biometric</strong> <strong>Application</strong> Programming Interface,<br />
{BioAPI} (ANSI INCITS 358-2002) and amendment<br />
one (ANSI INCITS 358-2002/AM1-2007)<br />
Conformance Testing Methodology for INCITS<br />
358-2002<br />
429-2007)<br />
BioAPI Specification (ANSI/INCITS<br />
• M1.3 - <strong>Biometric</strong> Data Interchange Formats - A task<br />
group set up to ensure the standardization of the<br />
content, meaning, and representation of biometric<br />
data interchange formats. This work is at the heart<br />
of allowing systems to be interoperable, since it defines<br />
standard template or image representations for<br />
biometric data. Completed projects to date include:<br />
–<br />
–<br />
–<br />
Finger Pattern Based Interchange Format (ANSI<br />
INCITS 377-2004)<br />
Finger Minutiae Format for Data Interchange<br />
(ANSI INCITS 378-2004)<br />
Finger Image Based Interchange Format (ANSI IN-<br />
CITS 381-2004)<br />
Version 2 – Summer 2008
<strong>Biometric</strong> <strong>Technology</strong> <strong>Application</strong> <strong>Manual</strong> Section 5 21<br />
–<br />
–<br />
–<br />
–<br />
Face Recognition Format for Data Interchange<br />
(ANSI INCITS 385-2004)<br />
Iris Recognition Interchange Format (ANSI INCITS<br />
379-2004)<br />
Signature/Sign Image Interchange Format (ANSI<br />
INCITS 395-2005)<br />
Hand Geometry Interchange Format (ANSI INCITS<br />
396-2005)<br />
• M1.4 - <strong>Biometric</strong> Profiles - This task group deals with<br />
the standardization of application-specific profiles<br />
that explain how to take base biometric standards<br />
and use them in a particular application domain.<br />
Current application profiles include:<br />
•<br />
–<br />
–<br />
–<br />
–<br />
–<br />
<strong>Biometric</strong> Based Verification and Identification of<br />
Transportation Workers (ANSI INCITS 383-2008)<br />
<strong>Biometric</strong> Based Personal Identification for Border<br />
Management (ANSI INCITS 394-2004)<br />
Point-of-Sale <strong>Biometric</strong> Verification/Identification<br />
<strong>Biometric</strong> Physical Access Control (ANSI INCITS<br />
422-2007)<br />
Department of Defense Implementations (ANSI<br />
INCITS 421-2006)<br />
M1.5 - <strong>Biometric</strong> Performance Testing and Reporting -<br />
This group handles the standardization of biometric<br />
performance metric definitions and calculations, as<br />
well as defines approaches to testing performance<br />
Version 2 – Summer 2008
Section 5 22 <strong>Biometric</strong> Standards and Best Practices<br />
and the requirements for reporting the results of<br />
those tests.<br />
–<br />
–<br />
–<br />
–<br />
<strong>Biometric</strong> Performance Testing and Reporting<br />
(ANSI INCITS 409.1-2005 Principles and Framework)<br />
<strong>Biometric</strong> Performance Testing and Reporting<br />
(ANSI INCITS 409.2-2005 <strong>Technology</strong> Testing and<br />
Reporting)<br />
<strong>Biometric</strong> Performance Testing and Reporting<br />
(ANSI INCITS 409.3-2005 Scenario Testing and Reporting)<br />
<strong>Biometric</strong> Performance Testing and Reporting<br />
(ANSI INCITS 409.4-2006 Operational Testing<br />
Methodologies)<br />
• M1.6—Cross Jurisdictional and Societal Issues— This<br />
task group is not intended to develop national standards<br />
but to provide recommendations and particularly<br />
to develop U.S. technical contributions to the<br />
corresponding international group, JTC 1 SC 37 WG<br />
6. Since international decisions on cross-jurisdictional<br />
matters may significantly affect U.S. interests,<br />
this subject is important enough to warrant a U.S.<br />
task group.<br />
Additionally, ad-hoc groups can be formed within the<br />
M1 TC and/or within Task Groups as necessary. Ad-hoc<br />
groups are short lived and focus on a specific problem,<br />
technical issue, investigation, or report. Unlike TGs, the<br />
ad-hoc groups’ authority automatically expires after a<br />
short period unless extended by a formal action of the<br />
M1 plenary body. On occasion, an ad-hoc group may fo-<br />
Version 2 – Summer 2008
<strong>Biometric</strong> <strong>Technology</strong> <strong>Application</strong> <strong>Manual</strong> Section 5 23<br />
cus so broadly, or may be so pervasive or extended, that it<br />
could warrant replacement by a permanent Task Group.<br />
OASIS (Organization for the Advancement of Structured<br />
Information Standards) - OASIS is a not-for-profit,<br />
international consortium that drives the development,<br />
convergence, and adoption of e-business standards. The<br />
organization produces a large number of web standards<br />
in supporting areas for e-business such as security and<br />
biometrics. The OASIS XML Common <strong>Biometric</strong> Format<br />
(XCBF) Technical Committee has specifically defined<br />
a common set of secure XML encodings for the patron<br />
formats specified in CBEFF, allowing biometric data to<br />
be securely passed over the Internet. The XML Common<br />
<strong>Biometric</strong> Format (XCBF) is a common set of secure<br />
XML encodings defined by the XCBF Technical Committee<br />
of the OASIS. XCBF provides security for biometric<br />
data through its support of the X9.96 XML Cryptographic<br />
Message Syntax (XCMS) standard. In 2003, XCBF 1.1 became<br />
an approved OASIS standard.<br />
The Open Group - The Open Group is an international<br />
consortium dedicated to “Boundary-less Information<br />
Flow achieved through global interoperability in a<br />
secure, reliable, and timely manner.” It has, in the past,<br />
been involved in biometric standardization through its<br />
Security Forum, which participated in the development<br />
of the BioAPI, and encourages the development of secure<br />
methods of personal authentication. This group has<br />
developed an extension to its Common Data Security<br />
Architecture (CDSA) with a biometric component - Human<br />
Recognition Services Module (HRS). CDSA is a set<br />
of layered security services and a cryptographic framework<br />
that provides the infrastructure for creating crossplatform,<br />
Version 2 – Summer 2008
Section 5 24 <strong>Biometric</strong> Standards and Best Practices<br />
interoperable, security-enabled applications for clientserver<br />
environments. The biometric component of the<br />
HRS is used in conjunction with other security modules<br />
(i.e., cryptographic, digital certificates, and data libraries)<br />
and is compatible with the BioAPI specification and CB-<br />
EFF.<br />
ASC X9 (Accredited Standard Committee X9) is a nonprofit,<br />
tax-exempt 501(c)(3) organization, formed specifically<br />
“to develop, establish, publish, maintain, and<br />
promote standards for the Financial Services Industry<br />
in order to facilitate delivery of financial products and<br />
services”. It is the only industry-wide forum that brings<br />
together bankers, security professionals, manufacturers,<br />
regulators, associations, consultants, and others in the financial<br />
services industry to address technical issues, find<br />
the best solutions, and codify them as nationally accepted<br />
standards.<br />
ASC X9 has developed and published ANSI X9.84-2003,<br />
<strong>Biometric</strong>s Management and Security for the Financial<br />
Services Industry. ANSI X9.84-2003 specifies the minimum<br />
security requirements for effective management<br />
of biometric data for the financial services industry and<br />
the security for the collection, distribution, and processing<br />
of biometric data.<br />
ASC X9 is a U.S., ANSI-accredited standards developing<br />
body. It serves as the ANSI TAG to the ISO Technical Committee<br />
68. A subcommittee of the X9 committee known<br />
as SCF Data Security is concerned specifically with the<br />
security and management of biometric data in financial<br />
services, including secure transmission, and storage.<br />
X9 has developed a financial services standard for<br />
biometrics, X9.84, which is increasingly being cited for<br />
use in other industry sectors.<br />
Version 2 – Summer 2008
<strong>Biometric</strong> <strong>Technology</strong> <strong>Application</strong> <strong>Manual</strong> Section 5 25<br />
Figure 5-2 <strong>Biometric</strong> Standards Activities. 48<br />
48 Chart from ANSI Homeland Security Standards Panel <strong>Biometric</strong> Workshop<br />
Report. April 2004. Chart also included in NIST <strong>Biometric</strong> Standards<br />
Program presentation. Michael D. Hogan and Fernando Podio.<br />
September 2004.<br />
Version 2 – Summer 2008
Section 5 26 <strong>Biometric</strong> Standards and Best Practices<br />
BioAPI Consortium<br />
The BioAPI Consortium initially formed in 1998 to develop<br />
a widely available and accepted <strong>Application</strong> Programming<br />
Interface (API) that would serve for various<br />
biometric technologies. The BioAPI was originally conceived<br />
as a multi-level API and was the initial framework<br />
for discussion when three groups - BioAPI, HA-API, and<br />
BAPI - were merged.<br />
The BioAPI specification was approved in Februay 2002<br />
as ANSI INCITS 358-2002 and amended as ANSI INCITS<br />
358-2002/AM 1-2007. It defines an open systems common<br />
<strong>Application</strong> Programming Interface (API) between<br />
applications and biometric technology modules. The<br />
implementation of compliant solutions allows for:<br />
•<br />
•<br />
•<br />
•<br />
Easy substitution of biometric technologies,<br />
Utilization of biometric technologies across multiple<br />
applications,<br />
Easy integration of multiple biometrics, and<br />
Rapid development of applications.<br />
The development of a single approach specified in this<br />
standard promotes interoperability among applications<br />
and biometric subsystems by defining a generic way of<br />
interfacing with a broad range of biometric technologies.<br />
BioAPI is intended to provide a high-level generic biometric<br />
authentication model suitable for any form of biometric<br />
technology. It covers the basic functions of en-<br />
Version 2 – Summer 2008
<strong>Biometric</strong> <strong>Technology</strong> <strong>Application</strong> <strong>Manual</strong> Section 5 27<br />
rollment, verification, and identification - including a database<br />
interface to allow a <strong>Biometric</strong> Service Provider (BSP) to<br />
manage the identification population for optimum performance.<br />
It also provides primitives that allow an application<br />
to manage the capture of samples on a client and the enrollment,<br />
verification, and identification on the server. Bio-<br />
API defines a common method of communication between<br />
a software application and an underlying biometric technology<br />
module. The intent is to provide an open system<br />
specification that supports a broad range of applications<br />
while remaining biometric technology vendor neutral. This<br />
is critical in large-scale deployments of biometrics since it<br />
can assist in enabling:<br />
•<br />
•<br />
•<br />
•<br />
Rapid development of applications employing<br />
biometrics,<br />
Flexible deployment of biometrics across platforms<br />
and operating systems,<br />
Improve ability to exploit price performance advances<br />
in biometrics, and<br />
Enhanced implementation of multiple biometric technologies.<br />
Common <strong>Biometric</strong> Exchange File Format<br />
(CBEFF)<br />
CBEFF defines a biometric data structure that assures that<br />
different biometric devices and applications can exchange<br />
biometric information efficiently. This common file format<br />
facilitates exchange and interoperability of biometric data<br />
from all modalities of biometrics independent of the particular<br />
vendor that would generate the biometric data. It<br />
Version 2 – Summer 2008
Section 5 28 <strong>Biometric</strong> Standards and Best Practices<br />
promotes interoperability of biometric application programs<br />
and systems developed by different vendors by allowing<br />
biometric data interchange. Different CBEFF patrons<br />
may define and register their own formats. This allows<br />
other entities to interpret the meaning of the unique data<br />
elements contained within that patron format. It provides<br />
forward compatability for technology improvements, since<br />
there are data fields that refer to the biometric data, version<br />
number, and vendor’s name. CBEFF can accomodate<br />
any biometric technology and can facilitate the exchange<br />
of biometric data between systems. It does not, however,<br />
achieve compatibility among different biometric technologies.<br />
Although Vendor A may be able to read CBEFF compliant<br />
data from Vendor B by looking up Vendor B’s patron<br />
format, it does not mean that Vendor A can use the data to<br />
perform biometric verification or identification.<br />
CBEFF was formalized as NIST Interagency Report (NISTIR)<br />
6529 in 2001 but work continues to further develop the applications<br />
of CBEFF and to have it standardized internationally.<br />
CBEFF is being incorporated in U.S. government and<br />
international requirements 49 such as the technical specifications<br />
drafted by the International Civil Aviation Organization<br />
(ICAO). Some groups are now starting to insist on<br />
CBEFF as part of their own biometrics applications. The biometric<br />
interchange records produced as part of the BioAPI,<br />
for instance, have their own CBEFF patron format. ICAO 50<br />
has also announced that<br />
49 ANSI Homeland Security Standards Panel <strong>Biometric</strong> Workshop<br />
Report. April 2004.<br />
50 International Civil Aviation Organization (ICAO) has a general<br />
mandate to facilitate safe and economical civil avation. It is a<br />
special agency of the UN and was founded in 1947. Under this<br />
mandate, ICAO has been given specific responsibility to ensure<br />
the standardization of travel documents.<br />
Version 2 – Summer 2008
<strong>Biometric</strong> <strong>Technology</strong> <strong>Application</strong> <strong>Manual</strong> Section 5 29<br />
biometric data stored on travel documents should be<br />
stored in a CBEFF compliant format.<br />
The <strong>Biometric</strong> Interoperability, Performance, and Assurance<br />
Working Group, sponsored by NIST and the <strong>Biometric</strong><br />
Consortium (NIST/BC <strong>Biometric</strong> WG) approved an augmented<br />
version of CBEFF called the Common <strong>Biometric</strong><br />
Exchange File Format. This revised version includes the<br />
specification of a nested structure that accommodates<br />
biometric data from multiple biometric types, such as<br />
finger, facial, and iris data in the same structure and also<br />
accommodates multiple samples of a specifc biometric<br />
type. It also defines a Product Identifier that allows an<br />
application to determine the biometric data originator<br />
and a CBEFF compatible smart card biometric data structure.<br />
ANSI NIST Standards<br />
ANSI (the American National Standards Institute) serves<br />
as an administrator coordinator of the U.S. private sector<br />
voluntary standardization system. The organization promotes<br />
and facilitates voluntary consensus standards and<br />
conformity assessment systems. ANSI recently founded<br />
a standards panel to identify existing consensus standards<br />
for homeland security and assist the Department<br />
of Homeland Security (DHS) and those sectors requesting<br />
assistance to accelerate the development and adoption<br />
of consensus standards that are critical to homeland<br />
security and national defense. ANSI itself does not develop<br />
American National Standards but provides all interested<br />
U.S. participants with a neutral venue to come<br />
together and work toward common goals.<br />
Version 2 – Summer 2008
Section 5 30 <strong>Biometric</strong> Standards and Best Practices<br />
ANSI promotes the use of U.S. standards internationally,<br />
advocates U.S. policy and technical positions in international<br />
and regional standards organizations, and encourages<br />
the adoption of international standards as national<br />
standards when they meet the needs of end-users.<br />
NIST (National Institute of Standards and <strong>Technology</strong>) is<br />
involved in many capacities in biometric standard development<br />
activities, providing technical expertise and<br />
contributions to the creation of drafts and specifications.<br />
The organization provides technical support and activities<br />
that help to implement standards and provides leadership<br />
for the national and international bodies developing<br />
formal biometric standards. Historically, NIST has<br />
been involved in biometric standardization and testing<br />
through its work on fingerprints with the FBI. It is also<br />
co-chair of the <strong>Biometric</strong> Consortium. NIST provides the<br />
chairperson of both the INCITS M1 <strong>Biometric</strong>s Technical<br />
Committee and its international couterpart ISO/IEC JTC 1<br />
SC 37 - <strong>Biometric</strong>s.<br />
<strong>Biometric</strong> Consortium<br />
The <strong>Biometric</strong> Consortium is co-chaired by NIST and the<br />
National Security Agency (NSA) and has served as the U.S.<br />
government’s focal point for research, development, test,<br />
evaluation, and application of biometric-based personal<br />
identification and verification technology. The <strong>Biometric</strong><br />
Consortium has organized a series of highly successful<br />
annual biometric conferences. It serves as a forum for<br />
the exchange of ideas on biometrics through its electronic<br />
LISTSERV. It has also, through its <strong>Biometric</strong>s<br />
Version 2 – Summer 2008
<strong>Biometric</strong> <strong>Technology</strong> <strong>Application</strong> <strong>Manual</strong> Section 5 31<br />
Interoperability, Performance, and Assurance Working<br />
Group, developed the Common <strong>Biometric</strong> Exchange File<br />
Format (CBEFF) standard. 51<br />
Other Standards<br />
In the area of non-technical standards, the IBIA (International<br />
<strong>Biometric</strong>s Industry Association) has established<br />
standards for its members, including:<br />
•<br />
•<br />
•<br />
•<br />
•<br />
•<br />
•<br />
Use of biometrics only for legal, ethical, and non-discriminatory<br />
purposes<br />
Highest standards of system integrity and database<br />
security to deter identity theft, protect personal privacy,<br />
and ensure equal rights<br />
Professional courtesy among competitors<br />
Truth in marketing (including accuracy claims)<br />
Demonstration that products are safe, accurate, and<br />
effective<br />
Commitment to principles of free trade<br />
Privacy principles<br />
51 See Common <strong>Biometric</strong> Exchange File Format (CBEFF)<br />
Version 2 – Summer 2008
Section 5 32 <strong>Biometric</strong> Standards and Best Practices<br />
Best Practices in Standards Development<br />
Adherence to best practices ensures that some of the<br />
variables involved in biometric accuracy measurement<br />
and reporting are controlled. However, even best practices<br />
can result in accuracy rates that are not indicative of<br />
real-world performance.<br />
<strong>Biometric</strong> standards are in place to support the widespread<br />
adoption of biometrics. The industry is aware of the need<br />
and importance of standards. Standards activities are expanding<br />
and the standards development efforts are accelerating.<br />
Version 2 – Summer 2008
<strong>Biometric</strong> <strong>Technology</strong> <strong>Application</strong> <strong>Manual</strong> Section 6 1<br />
Section 6: Testing and Evaluation<br />
Introduction<br />
How and where biometric systems are deployed ultimately<br />
depends on the security requirements, the operational<br />
environment, the cooperation of the user population,<br />
and their performance. But how can one know<br />
whichtechnologies will perform well in any given application,<br />
since performance parameters and estimates<br />
tend to vary from vendor to vendor?<br />
To adequately measure the real-life properties of biometric<br />
systems, it is important to understand the basic attributes<br />
52 of an “ideal” biometric system. They are:<br />
•<br />
•<br />
•<br />
•<br />
Universal: All members of the target user population<br />
should possess the biometric feature or identifier,<br />
such as fingerprints or iris patterns.<br />
Unique: Each biometric reference (the template or<br />
biometric “file” that is extracted from the live image)<br />
should be different from all others in the user population.<br />
Permanent: The biometric references should not<br />
vary under the conditions in which they were collected<br />
(i.e., they are stable over time and independent of<br />
changing medical conditions).<br />
Collectable: The biometric should be readily collect-<br />
52 An Introduction to Evaluating <strong>Biometric</strong> Systems. P. Jonathan Phillips,<br />
Alvin Martin, C.L. Wilson, Mark Przybocki. NIST. IEEE Computer magazine.<br />
® 2000 IEEE. Used with permission.<br />
Version 2 – Summer 2008
Section 6 2 Testing and Evaluation<br />
•<br />
•<br />
•<br />
able and quantitatively measurable.<br />
Performance: The biometric system should satisfy<br />
end-user requirements with respect to error<br />
rates (False Accept Rate, False Reject Rate, etc.) and<br />
throughput (the processing time required to complete<br />
an authentication).<br />
Acceptance: The biometric system should be acceptable<br />
to all users (recognizing that in certain instances<br />
there may be cultural, religious, or privacy-based<br />
grounds for resistance).<br />
Spoof Resistance: The biometric system should be<br />
resistant to spoofing (i.e., the presentation of the falsified<br />
image of an enrolled user) and countermeasures.<br />
The degree of spoof resistance will be determined<br />
by the sophistication of the biometric device.<br />
Evaluation and testing of biometric systems can quantify<br />
how well biometric systems perform, using the above attributes<br />
to design a testing methodology. Typically, the<br />
most reputable biometric evaluations are designed and<br />
implemented by an independent third-party other than<br />
the biometric vendor or the end-user. Such an organization<br />
would design the evaluation, administer the test,<br />
collect the test data, and analyze the results.<br />
While significant progress has been made in development<br />
of testing standards, the gains have been in general,<br />
broad areas relative to testing such as Principles and<br />
Framework (Ps and Fs), and specifying those Ps and Fs<br />
for the three main areas of testing: <strong>Technology</strong>, Scenario,<br />
and Operational (see paragraph on M1.5 in Section 5).<br />
There are currently no approved national or international<br />
standards for measuring and reporting the accuracy of<br />
Version 2 – Summer 2008
<strong>Biometric</strong> <strong>Technology</strong> <strong>Application</strong> <strong>Manual</strong> Section 6 3<br />
specific biometric modalities in areas of testing. Indeed,<br />
despite tremendous effort by the standards development<br />
community, there is not yet agreement on taxonomy<br />
of biometric applications - the closest is an international<br />
Technical Report on modality-specific testing that<br />
attempts to define taxonomy of biometric applications<br />
so that different testing methods can be used where appropriate.<br />
The consequences of using technologies that are not<br />
compliant with standards bodies are twofold:<br />
•<br />
•<br />
The products in question may not interoperate with<br />
the products of other manufacturers.<br />
The products may not interface with other portions<br />
of the application.<br />
Understanding <strong>Biometric</strong> System<br />
Performance<br />
As the maturity of biometric technology has evolved to<br />
meet increased security infrastructure requirements, a<br />
number of groups are working to develop standardized<br />
technical factors that describe and assess the performance<br />
of biometric systems. For these vital technologies<br />
to realize their full potential for domestic and international<br />
security, it is critically important that a baseline of<br />
performance standards for technical operation and supporting<br />
processes be established and measured.<br />
No single biometric technology will universally satisfy<br />
every application: a biometric system that works well<br />
for one application may not be the best choice for an-<br />
Version 2 – Summer 2008
Section 6 4 Testing and Evaluation<br />
other. As governments and businesses around the world<br />
increasingly rely on biometrics to help secure access,<br />
transactions, and identity, there is an equally increasing<br />
demand for accurate and unbiased evaluations of<br />
biometrics. Such testing can provide accurate metrics<br />
on how the technology will perform in the real world,<br />
thus alleviating unfounded concerns about operational<br />
performance. This is particularly so after the September<br />
11, 2001, terrorist attacks in the Unites States, in which<br />
identity deception played such a prominent role. Various<br />
governments have since implemented biometric identification<br />
systems for documents such as passports, visas,<br />
and national ID cards. These programs face the important<br />
task of evaluating which biometrics are best suited<br />
for their particular application, while also having to consider<br />
which will best integrate and collaborate with other<br />
systems. Since no single biometric technology will be<br />
suitable for all applications, organizations and programs<br />
are more dependent on unbiased and reliable testing<br />
and evaluation to help them select the best biometric<br />
for their specific requirement. This demand is being met<br />
in a variety of ways, as government agencies, university<br />
research labs, for-profit, and nonprofit companies have<br />
introduced testing capabilities at various levels.<br />
Until recently, commercial vendors and biometric consultants<br />
have performed evaluations of biometric devices<br />
and systems. Such vendor-sponsored testing alone<br />
may fail to provide adequate information to the end-user<br />
because the goals of the two parties are quite different.<br />
The vendor conducts tests to improve their devices and<br />
uses the results to sell products. End-users seek test results<br />
that will aid them in selecting a device that best fits<br />
their needs, with a focus that is specific to their application<br />
and enrollee group(s).<br />
Version 2 – Summer 2008
<strong>Biometric</strong> <strong>Technology</strong> <strong>Application</strong> <strong>Manual</strong> Section 6 5<br />
According to Dr. James Wayman, a recognized authority<br />
in biometrics and related testing, there are three major<br />
difficulties in testing biometric devices and systems. 53<br />
1.<br />
2.<br />
3.<br />
The dependence of measured error rates on the application<br />
classification.<br />
The need for a large test population that adequately<br />
models the target population.<br />
The necessity for a time delay between enrollment<br />
and testing.<br />
While thousands of live images may have been acquired<br />
to test the distinctiveness of a biometric, the good news<br />
is that these large sample sizes enable researchers to<br />
draw conclusions about uniqueness that are statistically<br />
significant. Other factors may have to be built into testing<br />
methodology, such as accommodating the fact that<br />
biometric features can “age” or change over time. Vendors<br />
rarely conduct tests of this scope and scale, since<br />
any effort to account for all variables and acquire enough<br />
samples to be credible becomes prohibitively challenging<br />
and costly. Independent testing organizations can<br />
overcome some of these challenges by drawing upon<br />
a larger data set for testing, either by using simulations<br />
from stored biometric samples or by relying on an existing<br />
pool of test subjects.<br />
Comparison of Types of Testing<br />
Over time, three important types of testing have<br />
53 Interview, June 2005.<br />
Version 2 – Summer 2008
Section 6 6 Testing and Evaluation<br />
emerged as the primary approaches to biometric<br />
product testing: technology testing (algorithm<br />
verification), scenario testing, and operational testing. 54<br />
<strong>Technology</strong> Testing<br />
<strong>Technology</strong> testing is concerned with understanding<br />
and comparing the software techniques that are used<br />
to acquire, process, and compare biometric data. The<br />
main focus is on the pattern-matching technique that is<br />
used for comparing biometric data; the process of using<br />
software algorithms to read and derive a pattern from<br />
the raw biometric image and store the result in a way to<br />
make it subject to reliable comparison later. Algorithm<br />
tests study different classification and matching<br />
methods with the goal of evaluating them on efficiency,<br />
speed, and performance. The evaluation compares<br />
competing algorithms from a single type of technology,<br />
carried out on a standardized database collected by a<br />
universal sensor, with the results determining the relative<br />
effectiveness of the tested algorithms. Although these<br />
tests are useful and repeatable, the results generally<br />
do not show real-life performance under actual<br />
field conditions with real enrollee/user populations.<br />
In algorithm evaluations, a database of biometric<br />
references is provided to test participants in<br />
advance to familiarize themselves with the data for<br />
54 Army <strong>Biometric</strong> <strong>Application</strong>s: Identifying and Addressing SocioCultural<br />
Concerns. John D. Woodward, Katharine W. Webb, Elaine M. Newton,<br />
Melissa Bradley, David Rubenson. 2001. www.rand.org Santa Monica,<br />
CA: RAND Corporation. Used with permission. .<br />
Version 2 – Summer 2008
<strong>Biometric</strong> <strong>Technology</strong> <strong>Application</strong> <strong>Manual</strong> Section 6 7<br />
developmental or tuning purposes. The actual test<br />
data is conducted on a new, sequestered portion of<br />
the database. The use of fixed databases ensures the<br />
same test will be given to all participants. Because the<br />
database is fixed, the results of technology tests are<br />
repeatable. Offline processing of data is carried out<br />
in a laboratory environment. For example, a testing<br />
facility will take fingerprint samples from 200 people.<br />
Vendors participating in the test would be given copies<br />
of 50 of these prints to calibrate and fine-tune their<br />
equipment. Actual testing would use the remaining<br />
150 samples to compute various performance values.<br />
The purpose of technical performance testing is to<br />
determine the range of error and throughput rates,<br />
with the goal of understanding and predicting realworld<br />
error and throughput performance of biometric<br />
devices and systems. During algorithm or technology<br />
testing, families of end-to-end system-level tests or<br />
tests of complete software products and readers can<br />
be performed. These tests focus on determining the<br />
operating characteristics of the technology and are<br />
designed to compare one or more systems under<br />
controlled conditions against a similar set of inputs.<br />
Evaluations of biometric systems generally proceed<br />
from the general technology to the specific application<br />
of that technology. The next level of testing (Scenario)<br />
determines which applications or scenarios need to be<br />
Version 2 – Summer 2008
Section 6 8 Testing and Evaluation<br />
evaluated.<br />
Scenario Testing<br />
Scenario testing is used to test the performance of<br />
biometric systems in an environment that models<br />
real-world applications to evaluate and compare<br />
performance across biometric devices. In contrast to<br />
algorithm or technology evaluation, each system in<br />
scenario testing has its own acquisition sensor and<br />
therefore receives different data inputs than those tested<br />
in technology (algorithm) evaluation. In other words,<br />
a scenario test determines how well the technology<br />
works in the context of the proposed application.<br />
Scenario evaluation helps an end-user decide which<br />
biometric device will work best for his/her needs.<br />
It is important that data collection for all tested systems in<br />
scenario evaluations come from the same environment<br />
and same population. Because it is difficult to precisely<br />
control different scenario model and field conditions, test<br />
results are only considered repeatable under identical<br />
control variables and environment. Depending upon the<br />
storage capabilities of the device, both on-and off-line<br />
transactions may be combined in scenario evaluations.<br />
Operational Testing<br />
Operational testing is typically used to evaluate pilot<br />
programs, going beyond scenario testing to determine<br />
the performance of a complete biometric system in a<br />
specific application (field) environment with a specific<br />
Version 2 – Summer 2008
<strong>Biometric</strong> <strong>Technology</strong> <strong>Application</strong> <strong>Manual</strong> Section 6 9<br />
target population. It helps to determine how the system<br />
will perform as a whole based on these factors. Off-line<br />
testing may or may not be possible, depending upon the<br />
storage capabilities of the device. Overall, test results<br />
from operational evaluations are not repeatable because<br />
of the range of unknown and undocumented differences<br />
between operating environments.<br />
An operational evaluation tests a live system deployed<br />
in its native environment for its intended application. It<br />
differs from a scenario test in that the population and<br />
environment are not controlled. One specific distinction<br />
between the two is that an imposter’s presence would<br />
not generally be known in an operational test, making it<br />
impossible to quantify the probability of false acceptance.<br />
During operational testing, system vulnerability can<br />
also be performed. Vulnerability tests have the goal of<br />
understanding how systems can be defeated or how<br />
they fail on their own.<br />
Errors that can potentially affect biometric technology<br />
performance can come from four different sources. 55<br />
55 Army <strong>Biometric</strong> <strong>Application</strong>s: Identifying and Addressing SocioCultural<br />
Concerns. John D. Woodward, Katharine W. Webb, Elain M. Newton,<br />
Melissa Bradley, David Rubenson. 2001. www.rand.org Santa Monica,<br />
CA: RAND Corporation. Used with permission.<br />
Version 2 – Summer 2008
Section 6 10 Testing and Evaluation<br />
1. Variations in the biometric pattern itself<br />
2. Variations in the way users present the biometric<br />
during live verification or identification attempts.<br />
3. Variations in the way the sensor reads the biometric<br />
trait.<br />
4. Variations in the transmission process (including noise<br />
introduced by compression and expansion).<br />
Each of these factors is typically related to a specific<br />
application and a single test environment cannot predict<br />
potential error rates for all applications. Therefore, results<br />
from laboratory testing (whether vendor or otherwise)<br />
are highly dependent on the test population and are<br />
not necessarily a useful predictor of errors in real-world<br />
uses.<br />
The following table summarizes the differences between<br />
the types of tests and the treatment of various factors.<br />
Version 2 – Summer 2008
COMPARISON OF ALGORITHM, SCENARIO, AND OPERATIONAL TESTING 56<br />
Type of Test<br />
Factor Algorithm Scenario Operational<br />
Subject of testing<br />
<strong>Biometric</strong> component (matching or<br />
<strong>Biometric</strong> system <strong>Biometric</strong> system<br />
extraction algorithm, sensor)<br />
Ground truth<br />
Known, test subject to data collection<br />
Known, test subject to data collection<br />
Unknown<br />
errors and intersections in merged data<br />
errors and tester failure to note un-<br />
sets<br />
wanted test subject behavior<br />
Uncontrolled<br />
Controlled (unless test subject behavior<br />
is an independent variable)<br />
Not applicable during testing. May be<br />
known to be controlled when biometric<br />
data recorded, otherwise considered<br />
to be uncontrolled.<br />
Subject behavior controlled<br />
by experimenter<br />
No Maybe Yes<br />
Subject has real-time<br />
feedback of the result of<br />
attempt<br />
Not repeatable<br />
Repeatability of results Repeatable Quasi-repeatable (if test scenario and<br />
population controlled)<br />
Controlled and/or recorded Not controlled, ideally<br />
recorded<br />
May be known to be controlled when<br />
biometric data recorded, otherwise<br />
considered to be uncontrolled<br />
Control of physical<br />
environment<br />
56 Adapted from INCITS/M1-04-0570 Project INCITS 1602-D Part 3: Scenario Testing.
COMPARISON OF ALGORITHM, SCENARIO, AND OPERATIONAL TESTING 56<br />
Type of Test<br />
Factor Algorithm Scenario Operational<br />
Recorded Recorded during<br />
enrollment. May be<br />
recorded during verification/identification<br />
Not applicable during test. May<br />
be recorded when biometric data<br />
recorded.<br />
Subject interaction<br />
recorded<br />
Externally consistent<br />
Results Internally consistent Compromise between internal and<br />
external consistency<br />
Measure performance<br />
in an operational environment.<br />
Compare biometric systems; determine<br />
critical performance factors.<br />
Measure simulated performance.<br />
Comparison of biometric components<br />
or versions of components (e.g., matching<br />
or extraction algorithms or sensors).<br />
Determine critical performance.<br />
Typical results reported<br />
Operational FRR. Operational<br />
FAR.<br />
Predicted end-to-end throughput,<br />
FMR, FNMR. FTA, FTER. End-to-end<br />
throughput.<br />
Most performance metrics. Not endto-end<br />
throughput. Most error rates.<br />
Good for large-scale identification<br />
system performance where difficult to<br />
assemble large test crew.<br />
Typical metrics<br />
Appropriate test database, e.g., gath-<br />
Operational, instrumented system Operational, instruered<br />
with one or more sensors, the<br />
mented system;<br />
identity of which may or may not be<br />
typically only decision<br />
known<br />
rates are available<br />
Human test population Recorded Live Live<br />
Constraints
<strong>Biometric</strong> <strong>Technology</strong> <strong>Application</strong> <strong>Manual</strong> Section 6 13<br />
ROC, DET, and CMC Curves<br />
When presenting test results, the matching or decisionmaking<br />
performance of biometric systems are graphically<br />
represented using Receiver Operating Characteristics<br />
(ROC), Detection of Error Trade-off (DET), or Cumulative<br />
Match Characteristic (CMC) curves.<br />
A ROC curve is a plot of the rate of “false matches” (attempts<br />
by an imposter that were accepted by the system on the<br />
x-axis against the corresponding rate of “true matches” (or<br />
acceptances of a genuine person) plotted on the y-axis. 57<br />
ROC curves are threshold-independent, which allow for<br />
comparison of different systems under similar conditions,<br />
or the same system under differing conditions.<br />
Figure 6-1 Example ROC curve. 58<br />
57 See “Performance Measures” below for an explanation of False Acceptance<br />
Rates, False Reject Rates, and other important measurements of biometric<br />
performance.<br />
58 Chart from Best Practices in Testing and Reporting Performance of<br />
<strong>Biometric</strong> Devices. Tony Mansfield and James Wayman. August 2002. Used<br />
with permission.<br />
Version 2 – Summer 2008
Section 6 14 Testing and Evaluation<br />
Another means of plotting test results is a DET curve, a<br />
modified ROC curve that plots error rates on both axes<br />
(false matches on the x-axis and false rejections on the<br />
y-axis).<br />
Figure 6-2 Example DET curve. 59<br />
A third type of results graph is a Cumulative Match Characteristic<br />
(CMC) curve, which provides a graphical presentation<br />
of identification task test results and plots rank<br />
values on the x-axis with the corresponding probability<br />
of correct identification or verification at or below that<br />
rank on the y-axis.<br />
59 Chart from Best Practices in Testing and Reporting Performance of <strong>Biometric</strong><br />
Devices. Tony Mansfield and James Wayman. August 2002. Used<br />
with permission.<br />
Version 2 – Summer 2008
<strong>Biometric</strong> <strong>Technology</strong> <strong>Application</strong> <strong>Manual</strong> Section 6 15<br />
Figure 6-3 Example CMC curve. 60<br />
In the full scope of biometric testing, each of these types<br />
of tests has its utility, with some more oriented to the<br />
developer and manufacturer (technology) and others to<br />
the user. In practice, all three approaches provide useful<br />
information on how the device and system will perform<br />
and assist in the selection process. Primary examples of<br />
how data from the curves are used include:<br />
1. Determining optimal settings for a particular device to<br />
achieve the desired balance between false non-matches<br />
and false acceptances<br />
2. Determining which device achieves the desired mix<br />
for both throughput considerations (minimizing false<br />
non-matches) and security considerations (deciding how<br />
resistant to false acceptances the application must be).<br />
60 Chart from Face Recognition Vendor Test 2002 – Evaluation Report<br />
March 2003. DARPA, NIST, DoD Counterdrug <strong>Technology</strong> Development<br />
Program Office, and NAVSEA Crane Division.<br />
Version 2 – Summer 2008
Section 6 16 Testing and Evaluation<br />
Measuring <strong>Biometric</strong> Performance<br />
Historically, biometric performance testing has focused<br />
on biometric systems’ technical (algorithmic) performance<br />
or error rates (false match and false non-match).<br />
Various types of algorithm verification/technical performance<br />
testing can be viewed as measurement, comparison,<br />
prediction, and qualification.<br />
Additional parameters may also be considered when<br />
evaluating the operational performance of biometric<br />
components and systems. These include:<br />
•<br />
•<br />
•<br />
•<br />
•<br />
Reliability, availability, and maintainability<br />
Security, including vulnerability to spoofing<br />
Human factors, including user acceptance<br />
Cost/benefit in comparison to existing security processes<br />
and systems, and<br />
Privacy regulation compliance.<br />
Security tests, including data security and anti-spoofing<br />
tests, are increasingly being incorporated into biometric<br />
evaluations. Interoperability or plug-and-play tests<br />
are other important variations used to evaluate when<br />
assessing system performance. In a broad sense, the<br />
performance of biometric systems for identification and<br />
verification is a function of:<br />
61 Intentionally fooling a biometric device or system by employing the<br />
falsified biometric image of an authorized user.<br />
61<br />
Version 2 – Summer 2008
<strong>Biometric</strong> <strong>Technology</strong> <strong>Application</strong> <strong>Manual</strong> Section 6 17<br />
•<br />
•<br />
The strength of the underlying biometric<br />
The quality and information content of the input,<br />
and<br />
62<br />
• Configuration and architecture of the system.<br />
Factors contributing to the strength of the biometric being<br />
measured include:<br />
•<br />
•<br />
•<br />
•<br />
•<br />
Individual variability<br />
Population variability<br />
Accuracy of measurement<br />
Repeatability of measurement, and<br />
Selectivity of the biometric.<br />
The performance of biometric systems can be generally<br />
described as a function of accuracy and throughput. Error<br />
rates, the nature of failures and their costs, and system<br />
vulnerabilities contribute to an overall assessment<br />
of system performance. Additionally, while most of the<br />
performance metrics tend to focus at the biometric device<br />
level, it is important to understand that biometric<br />
devices are components of larger systems, which impose<br />
external variables and interoperability issues that<br />
impact biometric system performance in the field environment.<br />
62 <strong>Biometric</strong> Principles, <strong>Application</strong>s, Opportunities and Issues, biometrics<br />
2004 presentation. Dr. Craig Arndt, Mitretek Systems. London, UK.<br />
Version 2 – Summer 2008
Section 6 18 Testing and Evaluation<br />
Perhaps the greatest source of variability is the biometric-contributing<br />
subject itself: the human being. Human<br />
factors, such as aging, medical condition, degree of<br />
sobriety, emotional state, etc., present significant issues<br />
that impact biometric system performance. There is a<br />
recognized need for applied research and understanding<br />
of human factors and other environmental and operation<br />
conditions impacting fielded performance in<br />
biometric systems deployment. The scale or volume of<br />
biometric systems presents additional problems that<br />
impact system performance considered outside of the<br />
scope of device testing. User acceptance and applications<br />
specific limitations in the biometric deployment<br />
environment also impose additional factors which affect<br />
overall operational performance.<br />
Performance Measures<br />
The following performance metrics are generally applicable<br />
to all biometric devices and are defined in the testing<br />
and reporting best practices document developed<br />
by Mansfield and Wayman. 63 These performance metrics<br />
include:<br />
• False Accept Rate (FAR) : This is the expected proportion<br />
of transactions with wrongful claims of identity<br />
(in a positive ID system) or non-identity (in a negative<br />
ID system) that are incorrectly confirmed. A<br />
transaction may consist of one or more wrongful attempts<br />
dependent upon the decision policy. A false<br />
63 Best Practices in Testing and Reporting Performance of <strong>Biometric</strong><br />
Devices. Version 2.01, <strong>Biometric</strong>s Working Group. Tony Mansfield and<br />
James Wayman. August 2002. Used with permission<br />
Version 2 – Summer 2008
<strong>Biometric</strong> <strong>Technology</strong> <strong>Application</strong> <strong>Manual</strong> Section 6 19<br />
acceptance is often referred to in the mathematical<br />
literature as a “Type II” error.<br />
• False Reject Rate (FRR) : This is the expected proportion<br />
of transactions with truthful claims of identity<br />
(in a positive ID system) or non-identity (in a negative<br />
ID system) that are incorrectly denied. A transaction<br />
may consist of one or more truthful attempts dependent<br />
upon the decision policy. A false rejection is<br />
often referred to in the mathematical literature as a<br />
“Type I” error.<br />
• Matching Errors:<br />
Matching errors such as False<br />
Match Rate (FMR) and False Non-Match Rate (FNMR)<br />
refer to matching algorithm errors for a single comparison<br />
of a submitted sample against a single enrolled<br />
reference/model.<br />
The FMR is the expected probability that a sample<br />
will be falsely declared to match a single randomly<br />
selected “non-self” (genetically different) reference.<br />
(A FMR is sometimes referred to as a “false<br />
positive”).<br />
The FNMR is the expected probability that a sample<br />
will be falsely declared not to match a reference<br />
of the same measure by the same user. (A FNMR is<br />
sometimes called a “false negative”).<br />
• Failure to Enroll:<br />
The Failure to Enroll (FTE) rate is<br />
the expected proportion of the population that is unable<br />
to enroll their biometric in order to create a reference<br />
of sufficient quality for subsequent automated<br />
operation. This may occur for a number of reasons.<br />
Persons with disabilities, for example, may be unable<br />
to present the required biometric feature, or provide<br />
Version 2 – Summer 2008
Section 6 20 Testing and Evaluation<br />
an image of sufficient quality at time of enrollment. In<br />
some cases, the biometric trait may be less distinctive<br />
and prevent individuals from reliably matching the<br />
reference in attempts to confirm the enrollment is usable.<br />
In this sense, the FTE is also dependent upon the<br />
particular enrollment policy as to allowable attempts.<br />
• Failure to Acquire:<br />
This is the expected proportion<br />
of transactions for which the system is unable to capture<br />
or locate an image or signal of sufficient quality<br />
for matching purposes. This rate may be dependent<br />
upon adjustable thresholds for image quality.<br />
• Transaction or Throughput Times: Transaction<br />
times can be characterized by the theoretical time it<br />
takes to match a reference sample to the live reference<br />
presented. It can be applied in the context of<br />
both identification and verification systems. In both<br />
cases, the theoretical rate won’t necessarily represent<br />
real-world throughput rates, due to the wide range<br />
of operational variables that impact transaction-processing<br />
speed in live scenarios.<br />
The Qualified Products List<br />
A step in the direction for more standardized testing is<br />
the emergence of Qualified Product Lists (QPL) of biometric<br />
products that have been subjected to independent<br />
and objective testing. The QPL concept was initiated<br />
and first commercialized by NBSP and is now used<br />
by the community to describe the process of identifying<br />
those biometric products that have successfully passed<br />
the thresholds for evaluating performance against a series<br />
of published Common Performance Standards (CPS).<br />
Version 2 – Summer 2008
<strong>Biometric</strong> <strong>Technology</strong> <strong>Application</strong> <strong>Manual</strong> Section 6 21<br />
QPL’s are not attempts to describe how well a biometric<br />
system performs, but whether it does or does not meet<br />
a specified level of performance. What that level is can<br />
be an industry consensus standard, or it can be a level<br />
established by a potential user or agency. The important<br />
issue is that it be publicly known and reported openly as<br />
part of the evaluation. The NBSP/BSI QPL test program<br />
consists of performance testing and, if applicable, standards<br />
conformance testing.<br />
The NBSP/BSI QPL Performance Test<br />
This test utilizes a comprehensive scenario testing capability<br />
to evaluate the ability of a biometric device to<br />
operate against a set of performance levels, also known<br />
as Common performance Standards (CPS). In the NBSP<br />
QPL, each biometric device is tested during a six to eight<br />
week period by at least 200 NBSP trained operators (test<br />
participants). During this period, each device is activated<br />
a minimum of 10,000 times. The performance measures<br />
are determined by actual activations as opposed to<br />
theoretical computer analyses. The four main CPS criteria<br />
against which all products are tested are:<br />
•<br />
•<br />
•<br />
•<br />
False Accept Rate<br />
False Reject Rate + Failure to Acquire Rate<br />
Failure to Enroll Rate<br />
Throughput Rate<br />
Version 2 – Summer 2008
Section 6 22 Testing and Evaluation<br />
Demographics<br />
Demographics is a key consideration accounted for in<br />
NBSP/BSI’s enhanced scenario test procedures. The common<br />
aspects of sample demographics are gender, age,<br />
and ethnicity. Samples are normally drawn in a manner<br />
that forms a pool of people whose demographics closely<br />
resembles the total target population. Not only should<br />
the sample reflect the age distribution profile of the target<br />
population, but the age distribution by gender and<br />
ethnicity.<br />
Demographic considerations may also include a requirement<br />
for finer gradations of ethnicity. The three major<br />
categories of racial origins (European, Asian, and African)<br />
are often subdivided in so many ways that a sample<br />
that attempts to accurately reflect the multi-dimensional<br />
profile of the target population could become unmanageable.<br />
Trade-offs are often required between the degree<br />
of precision in matching the desired profile and the<br />
practical resource availability for conducting the test program.<br />
Sample Size<br />
The adequacy of a sample size is not a linear function. That<br />
is, although we know that it is difficult to draw meaningful<br />
conclusions with too few subjects in the sample, there is<br />
often an upper limit where increasing the size of the sample<br />
does not lead to a comparable increase in the utility of<br />
the findings, depending on the nature of the study. Statistically,<br />
a sample of 13 is about as small as practical for<br />
any kind of study. At the other end, national opinion polling<br />
and other studies yield surprisingly accurate assess-<br />
Version 2 – Summer 2008
<strong>Biometric</strong> <strong>Technology</strong> <strong>Application</strong> <strong>Manual</strong> Section 6 23<br />
ments with as few as 600 to 1800 respondents. The problem<br />
with computing adequate sample sizes in advance<br />
of testing is that the equations use the mean value of the<br />
test and a measure of the distribution of deviations about<br />
the mean. Until the test is conducted, however, these<br />
two values are unknowns. In their place, estimates of the<br />
likely mean and deviation values are used. Consequently,<br />
the accuracy of the sample statistics depends upon one’s<br />
ability to make correct estimates.<br />
BSI addresses these issues by maintaining a volunteer<br />
group of 500+ operators. Demographic information can<br />
be modeled after the client’s required user group to create<br />
a more accurate test scenario.<br />
An important aspect of the QPL as administered by NBSP/<br />
BSI is limiting disclosure that a product has not passed<br />
the test to the submitting vendor. While it is important<br />
that the vendor understand the basis for a product’s failure<br />
in the test process, it does not serve the objectivity<br />
of the process to indirectly participate in marketing or<br />
competitive advertising efforts based only on QPL performance.<br />
A product can be re-submitted after improvement,<br />
and buyers are protected by simply requiring that<br />
any product proposed for use in their application MUST<br />
be listed on the QPL.<br />
The NBSP/BSI QPL Conformance Test<br />
This test evaluates devices to determine conformance<br />
with relevant published ISO/IEC standards. Generally,<br />
conformance testing is conducted by using conformance<br />
test suites designed for specific standards. Such<br />
evaluations will be expanded to include additional<br />
Version 2 – Summer 2008
Section 6 24 Testing and Evaluation<br />
standards as the software modules are written and field<br />
tested. NBSP/BSI currently tests against the following<br />
standards are required.<br />
•<br />
•<br />
•<br />
•<br />
•<br />
•<br />
•<br />
•<br />
•<br />
•<br />
•<br />
INCITS 377-2004<br />
INCITS 378-2004<br />
ISO 19794-2-2005<br />
INCITS 379-2004<br />
INCITS 396-2005<br />
INCITS 395-2005<br />
ILO SID<br />
ICAO LDS 1.7<br />
BioAPI<br />
INCITS 381-2004<br />
INCITS 385-2004<br />
The Transportation Security Administration (TSA) recently<br />
initiated its own version of a QPL testing program for<br />
biometric products to be used in airports. The TSA QPL<br />
testing ensures that all of the devices that make it on the<br />
list have passed a minimum level of capability. Testing includes<br />
the use of more than 250 subjects, representative<br />
of a typical airport population in gender, age, and occupation.<br />
The subjects visit multiple times over a period of<br />
six weeks to best simulate a real use pattern for an indoor<br />
Version 2 – Summer 2008
<strong>Biometric</strong> <strong>Technology</strong> <strong>Application</strong> <strong>Manual</strong> Section 6 25<br />
application. At the time of this writing, U.S. Department<br />
of Defence procurements are calling for the implementation<br />
of a QPL for DoD products.<br />
The end-user benefits of a biometric Qualified Product<br />
List include:<br />
1.<br />
2.<br />
3.<br />
4.<br />
A catalog of commercially available products that<br />
meets minimum standards for use in civil infrastructure<br />
applications<br />
A significant reduction in the need for duplicative pilot<br />
testing for general use<br />
Acceleration of the acquisition process by identifying<br />
a field of suitable products that met QPL thresholds<br />
An opportunity for vendors’ products in multiple<br />
modalities, with different features, to demonstrate<br />
general or common performance capabilities.<br />
Other Types of Testing:<br />
Vulnerability Testing<br />
While not always the case, it is generally accepted that a<br />
biometric system is most vulnerable at the reader level,<br />
as this is the primary interaction point for users and the<br />
critical function where the biometric feature is presented<br />
to the system. Vulnerabilities or attacks that a biometric<br />
system could face include, but are not limited to:<br />
•<br />
Impersonation attempts (disguises) or spoofing (artifact<br />
substitution for live feature)<br />
Version 2 – Summer 2008
Section 6 26 Testing and Evaluation<br />
•<br />
•<br />
•<br />
Database attacks (exchanging or corrupting references)<br />
Tampering with threshold settings<br />
Network-based attacks<br />
In its most basic form, vulnerability testing is the practice<br />
of finding weaknesses and exploiting them. These tests<br />
also involve statistical studies to assess risks and estimate<br />
the ultimate “strength of function” for a given system.<br />
“Strength of function” arguments are statistical models<br />
developed to define the attack space for the identifier. 64<br />
This is an attempt to assess the probability that a suitable<br />
identifier can be generated to match another identifier in<br />
the population that is sufficiently similar (a false accept).<br />
It is important that product “vulnerabilities” be defined<br />
in the context of the operating environment and proper<br />
usage within the design parameters of the product. For<br />
example, it serves little purpose to employ a biometric<br />
in an unmonitored setting and give an attacker an unlimited<br />
number of attempts to defeat the system, when<br />
the system is not intended or designed for remote and<br />
unmonitored use. Most biometric products would fit in<br />
this category today. To show that a biometric product is<br />
vulnerable to such repetitive attacks does not mean the<br />
product is not useful when properly employed.<br />
64 From <strong>Biometric</strong>s: Identity Assurance in the Information Age. John D.<br />
Woodward, Jr. McGraw-Hill. 2003. Pg. 193. Used with permission.<br />
Version 2 – Summer 2008
<strong>Biometric</strong> <strong>Technology</strong> <strong>Application</strong> <strong>Manual</strong> Section 6 27<br />
Security Testing<br />
While vulnerability testing focuses on the primary weaknesses<br />
in a specific biometric to improve its design and<br />
performance, there is a case to be made for a more generic<br />
approach to testing for security in the operation of<br />
biometric-based identity management systems. Such<br />
tests can lead to development of countermeasures<br />
against both common and developing threats to system<br />
effectiveness and reliability. Expressed as standard or<br />
“best practice” methods, manufacturers can be expected<br />
to adopt such findings in the design, development,<br />
and production of new biometric products. Conversely,<br />
buyers should be aware of different levels of security inherent<br />
in a product to determine suitability for critical<br />
applications. For example, it can be expected that a biometric<br />
controlling entry into a nuclear site might require<br />
a higher level of intrinsic security design than one used<br />
for a commercial purchase.<br />
Progress in this area of testing has been relatively slow.<br />
Initiatives to date include:<br />
•<br />
•<br />
•<br />
The SC 27 Subcommittee for Information <strong>Technology</strong><br />
Security Techniques is developing WD 19792,<br />
a Framework for security evaluation and testing of<br />
biometric systems.<br />
A <strong>Biometric</strong> Verification Mode Protection Profile for<br />
Medium Robustness Environments has been validated.<br />
This incorporates a list of security requirements<br />
and functionality to be addressed in any test.<br />
There is some level of interest in including biometric<br />
technology in the Common Criteria program, howev-<br />
Version 2 – Summer 2008
Section 6 28 Testing and Evaluation<br />
er, that process is arduous, time consuming and costly<br />
to manufacturers and would need to be streamlined<br />
to justify and gain more widespread support. A<br />
draft document described as a <strong>Biometric</strong> Evaluation<br />
Methodology Supplement is reportedly under development,<br />
which will hopefully meet the need while<br />
addressing concerns regarding the process.<br />
Interoperability Testing<br />
The increasing use of multi-modal biometric systems<br />
demands an acceleration of biometric interoperability.<br />
Interoperability testing assesses the ability to exchange<br />
and use information on a single system in a multi-modal<br />
environment, as well as the interface of the biometric<br />
component with the holistic security program.<br />
Considering the broad mission requirements for biometric<br />
technology, the scope of the threat against its effective<br />
use and the continuing state of technology development;<br />
it is prudent for BSI and any testing activity to<br />
embrace and support all types of biometric testing. The<br />
obvious objectives are to assist the industry in producing<br />
the best products that they can and enable the user to<br />
have confidence in integrating those products into an effective<br />
security program.<br />
ISO/IEC 17025 Accreditation<br />
To assure the quality and consistency of its testing operations<br />
and processes BSI underwent the exhaustive procedures<br />
required for ISO/IEC 17025 [General Requirements<br />
for Competence of Testing and Calibration Laboratories]<br />
Accreditation. As of this printing, BSI is the only labora-<br />
Version 2 – Summer 2008
<strong>Biometric</strong> <strong>Technology</strong> <strong>Application</strong> <strong>Manual</strong> Section 6 29<br />
tory exclusively focused on biometrics to have received<br />
this accreditation. Requirements of this lab-testing standard<br />
include:<br />
1.<br />
2.<br />
3.<br />
4.<br />
Accounting for factors affecting the reliability of the<br />
tests<br />
–<br />
–<br />
–<br />
–<br />
Human factors<br />
Test method<br />
Environmental Conditions<br />
Sampling methods<br />
Retention of Records<br />
–<br />
–<br />
Original observations<br />
Derived data<br />
Estimating uncertainty of measurement<br />
–<br />
Degree of rigor depends upon the test environment<br />
Formatting of reports<br />
–<br />
–<br />
–<br />
Accommodate each type of test<br />
Minimize possibility of misunderstanding or misuse<br />
Recommendation of the statement “this test report<br />
shall not be reproduced except in full without<br />
approval of this laboratory.”<br />
Version 2 – Summer 2008
Section 6 30 Testing and Evaluation<br />
Such certifications provide the organizations with:<br />
1.<br />
2.<br />
3.<br />
4.<br />
Internal operational efficiency<br />
Lower costs because of fewer nonconforming products,<br />
less rework, streamlined processes and fewer<br />
mistakes<br />
Well defined and documented procedures to improve<br />
the consistency of output<br />
Quality that is constantly measured<br />
Other Testing Considerations<br />
Scalability and Usability<br />
Scalability is most often considered from the perspective<br />
of the technical infrastructure. A highly scalable biometric<br />
is one that could be deployed effectively to identify<br />
individuals in a large population without incurring unacceptable<br />
error rates or throughput times. A biometric<br />
that is poorly scalable is one that could not handle large<br />
databases without incurring unacceptable error rates.<br />
The scalability of a biometric is tied to the basic individuality<br />
or selectiveness of the biometric itself, technical performance<br />
(error rates) and degree of robustness, and efficiency<br />
of the algorithms.<br />
Scalability should also be considered from a human<br />
point of view. Does the application present a closed environment<br />
with relatively homogenous user population,<br />
Version 2 – Summer 2008
<strong>Biometric</strong> <strong>Technology</strong> <strong>Application</strong> <strong>Manual</strong> Section 6 31<br />
or does the application need to scale to accommodate a<br />
user base (such as the prospective size of a national population)?<br />
If the system does not scale well, enrollment<br />
and authentication processes are likely to become bothersome.<br />
This could lead to the frequent need for manual<br />
intervention and exception handling, which can be a<br />
detriment to system usability.<br />
Other factors that affect usability include the intuitiveness<br />
of the system interface with the user community, as<br />
well as questions such as:<br />
•<br />
•<br />
•<br />
Is the transaction an inviting and positive experience?<br />
Is consistent instruction and feedback built into the<br />
process?<br />
Is the performance reliable for operational staff as<br />
well as users?<br />
It is important to note that if users do not accept the<br />
technology in the proposed application, the technology<br />
will fall short of its intended benefits. Sometimes usability<br />
factors can be more important than raw performance<br />
for certain applications, especially if the application has<br />
high throughput requirements and a diverse, unpredictable<br />
user population. Incorporating human factors and<br />
ergonomic considerations into the design can greatly<br />
improve the usability of biometric systems and enhance<br />
performance.<br />
Compliance with Standards<br />
There is a recognized need in the biometrics community<br />
for a process for users and developers to determine<br />
Version 2 – Summer 2008
Section 6 32 Testing and Evaluation<br />
whether an implementation conforms to a biometric standard.<br />
Over the years NIST has partnered with the industry<br />
and numerous federal agencies in groups to accelerate<br />
national and international biometric standardization.<br />
NIST is currently leading the change for conformancetesting<br />
clauses in the developing standard testing methodologies<br />
through standards bodies, such as the International<br />
Committee for Information <strong>Technology</strong> Standards<br />
(INCITS) M1 committee, and ISO SC 37 WG5 (see Section<br />
5 for additional details on standards development). This<br />
involves leading efforts to harmonize testing by different<br />
organizations, such as the development of equivalent<br />
test tools to ensure consistent test results.<br />
Conformance testing determines whether a biometric<br />
system conforms to a designated standard by assessing<br />
if an implementation of the system faithfully implements<br />
the technical specifications of the standard.<br />
Users and system developers need to determine system<br />
interoperability for biometric data. Interoperability testing<br />
consists of the testing of one implementation (product,<br />
system) with another to establish that they can work<br />
together properly.<br />
The first projects for development of conformance and<br />
interoperability testing are in the area of technical interfaces<br />
(e.g., BioAPI and CBEFF). These include development<br />
of conformance testing standards, which will determine<br />
how a test laboratory determines conformance<br />
of a product to the Bio API standard, such as:<br />
•<br />
•<br />
ISO 24709-1 Conformance Testing for BioAPI Methods<br />
and Procedures (published).<br />
ISO 24709-2 Test Assertions for <strong>Biometric</strong> Service Pro-<br />
Version 2 – Summer 2008
<strong>Biometric</strong> <strong>Technology</strong> <strong>Application</strong> <strong>Manual</strong> Section 6 33<br />
•<br />
•<br />
•<br />
viders (published).<br />
ISO 24709-3 Test Assertions for BioAPI Frameworks<br />
(under development).<br />
Conformance Testing Methodology for INCITS<br />
358:2002 BioAPI Specification, (ANSI/INCITS<br />
429-2007) (published).<br />
Information <strong>Technology</strong> - Conformance Testing<br />
Methodology Standard for Patron Formats Conforming<br />
to INCITS 398-200x (Revision of INCITS 398:2005),<br />
Information <strong>Technology</strong> - Common <strong>Biometric</strong> Exchange<br />
File Format (CBEFF) (under development).<br />
Although the development of biometric standards and<br />
protocols is dealt with in more detail in Section 5, it should<br />
be noted that national and international standards committees<br />
are working to develop biometric testing standards.<br />
The caveat on currency in Section 5 applies to test<br />
and evaluation standards, and the most current information<br />
can be found on the NBSP Web site at: http://www.<br />
nationalbiometric.org/ and at http://www.biometricsinternational.org.<br />
Test and evaluation projects currently<br />
underway include:<br />
•<br />
•<br />
•<br />
Interoperability Performance Testing - specifying<br />
how to conduct performance-based interoperability<br />
testing for biometric systems<br />
Scenario Evaluation <strong>Biometric</strong> Access Control Systems<br />
- defining how to test biometric performance<br />
in an access control system<br />
Testing Methodologies for Operational Evaluation -<br />
giving specific details and requirements for conduct-<br />
Version 2 – Summer 2008
Section 6 34 Testing and Evaluation<br />
•<br />
•<br />
•<br />
•<br />
•<br />
ing an operational test<br />
Machine Readable Test Data for <strong>Biometric</strong> Testing<br />
and Reporting - defining a machine readable format<br />
for biometric test reports and test databases to facilitate<br />
automated evaluation of biometric products<br />
and comparison of test results<br />
Security Evaluation of <strong>Biometric</strong>s - providing a framework<br />
for evaluating security of biometric technology<br />
when used for physical or logical access<br />
Framework for Testing and Evaluation of <strong>Biometric</strong><br />
Systems for Access Control - specifying standards for<br />
testing performance of biometric access control systems<br />
Framework for Testing Methodologies for Specific<br />
Environments of <strong>Biometric</strong> Systems - describing<br />
modifications to general test guidelines required for<br />
testing of specific biometric modalities in specific environments<br />
Statistical methods for decision making - dealing<br />
with the final two stages of the biometric testing lifecycle<br />
Testing Protocols<br />
“A review of biometric device testing over the last two decades<br />
shows a wide variety of conflicting and contradictory<br />
testing protocols. Even single organizations produce multiple<br />
tests, each using a different test method. The variety<br />
of protocols and reporting methods hinders the comparison<br />
and proper understanding of test results. Test protocols<br />
Version 2 – Summer 2008
<strong>Biometric</strong> <strong>Technology</strong> <strong>Application</strong> <strong>Manual</strong> Section 6 35<br />
have varied not only because test goals and available data<br />
are different from one test to the next, but also because<br />
there was not standard for protocol creation.” 65<br />
A number of issues can be identified that have contributed<br />
to the problems pointed out by Dr. Mansfield.<br />
Different metrics have been used for measuring and reporting<br />
biometric systems performance. These variances<br />
include the accuracy metrics employed such as FAR<br />
and FRR; a measure of the “identification rate”; and the<br />
extent of detail reported upon. Another variability issue<br />
is whether the tests measure and/or report performance<br />
at a single point or utilize a range of performance<br />
presented in ROC and DET curves. Another disparity is<br />
whether one reports differences from measuring and/or<br />
reporting a single point or from multiple attempts at verification.<br />
Additional metrics that can be applied include<br />
speed of acquisition and degree of user habituation.<br />
Other reported testing problems include unscientific approaches,<br />
such as using developmental data and results<br />
derived from test data sets that are too small for inferring<br />
the resulting performance claims. Additional issues have<br />
been raised by cases where the wrong data was actually<br />
saved and instances where changes made during the<br />
test had unforeseen impact upon the test results.<br />
The international community recognizes the need for<br />
developing standards that will provide for common metrics<br />
in order for a baseline of biometric evaluations to be<br />
compared. Also important is a standardization method<br />
of presentation, so users can rely upon the results to be<br />
65 <strong>Biometric</strong>s 2004 Delegate <strong>Manual</strong>. Tony Mansfield, Principal Research<br />
Scientist, National Physical Laboratory, UK.<br />
Version 2 – Summer 2008
Section 6 36 Testing and Evaluation<br />
formatted in a way that communicates common parameters.<br />
Full reporting of test conditions will be required in<br />
order that test results and their applicability to specific<br />
scenarios will be clear. Underlying the standards is a call<br />
for good scientific testing practice, which is unbiased, repeatable,<br />
minimizes the level of effort required for performance<br />
certainty, and detects or prevents manipulation<br />
of results.<br />
Evaluation Protocols<br />
An evaluation protocol determines how a biometric system<br />
is tested, data is selected, and performance is measured.<br />
The most successful and valuable evaluations<br />
are administered by an independent third-party that<br />
uses biometric references that have not previously been<br />
“seen” by the system. This is an important differentiation<br />
because if the system is not tested with previously “unseen”<br />
biometric references, the system is merely being<br />
trained to function using a particular set of data.<br />
For evaluation results and recommendations to be broadly<br />
accepted by the marketplace, procedures, protocols,<br />
results, and samples of the data used in testing should be<br />
published. The evaluation and testing should also be sufficiently<br />
documented and detailed so others can repeat<br />
the evaluation, if necessary, to see if similar or disparate<br />
results are achieved.<br />
Borrowing from the children’s take Goldilocks and the<br />
Three Bears, the three bears principle of “just right” has<br />
often been used to describe biometric testing. If products<br />
are to be tested, the most informative and valuable<br />
tests to run are those that are neither too easy nor too<br />
hard. The tests should be somewhere in the middle, or<br />
Version 2 – Summer 2008
<strong>Biometric</strong> <strong>Technology</strong> <strong>Application</strong> <strong>Manual</strong> Section 6 37<br />
“just right.” If a test is too easy, all products will pass. If the<br />
test is too hard, no products will pass. The desired “just<br />
right” medium point is achieved when test objectives are<br />
chosen to produce a range of results so that clear distinction<br />
can be drawn between the performance of various<br />
products and technologies. Here again, the influence of<br />
the operating environment and reasonable expectations<br />
of performance in that environment should determine<br />
what is “just right.”<br />
<strong>Technology</strong> and Product Evaluations<br />
Fingerprint Vendor <strong>Technology</strong> Evaluation 2003 66<br />
In 2003, NIST conducted a technology evaluation for fingerprint<br />
systems that was sponsored by the Fingerprint<br />
Matching Division of the U.S. Department of Justice. The<br />
Fingerprint Vendor <strong>Technology</strong> Evaluation (FpVTE) was<br />
an accuracy evaluation of fingerprint matching, identification<br />
and verification systems. The purpose was<br />
to identify the most accurate fingerprint matching systems<br />
and determine the effect of a number of variables<br />
on matcher accuracy. Eighteen companies participated<br />
in the FPVTE 2003, submitting a total of 34 systems for<br />
evaluation.<br />
In the small-scale test, single image comparisons of fingerprints<br />
were matched one million times against a<br />
66 Fingerprint Vendor <strong>Technology</strong> Evaluation 2003 - Analysis Report<br />
(FpVTE 2003). Charles Wilson, R. Austin Hicklin, Harold Korves, Bradford<br />
Ulery, Melissa Zoepfl, Mike Bone, Patrick Grother, Ross Michaels, Steve<br />
Otto, and Craig Watson. NIST, Mitretek, and NAVSEA Crane Division.<br />
Version 2 – Summer 2008
Section 6 38 Testing and Evaluation<br />
1,000-fingerprint database. In the medium-scale test,<br />
single image comparisons were matched against a<br />
10,000-fingerprint database. And in the large-scale test,<br />
set-to-set comparisons were matched more than a billion<br />
times against a 64,000-fingerprint database. Accuracy<br />
rates were evaluated relative to the size of the system.<br />
The FpVTE project was launched as part of the U.S. PA-<br />
TRIOT Act to certify biometric technologies that may be<br />
used in the U.S. Visitor and Immigrant Status Indicator<br />
<strong>Technology</strong> (US-VISIT) Program. The test was co-sponsored<br />
by the U.S. Department of Justice, the FBI, DHS,<br />
the U.S. Immigration Office, as well as the EU Commission<br />
service, police departments in Canada, and the U.K.<br />
Police Information <strong>Technology</strong> Organization (PTO). For<br />
further information and data on this analysis, see www.<br />
fpvte.nist.gov.<br />
Face Recognition Vendor Test 2005 67<br />
NIST is also sponsoring technology evaluations in the<br />
area of facial recognition.<br />
The Face Recognition Vendor Test (FRVT 2005) is the latest<br />
in a series of large-scale independent evaluations for<br />
face recognition systems. Previous evaluations in the<br />
series were the FERET, FRVT 2000, and FRVT 2002. The<br />
primary goal of the FRVT 2005 is to measure progress of<br />
prototype systems/algorithms and commercial face recognition<br />
systems since FRVT 2002 and ultimately develop<br />
algorithms with performance capabilities exceeding<br />
FRVT 2002. Additionally, one of the goals is to independently<br />
determine if the objectives of the Face Recogni-<br />
67 Face Recognition Vendor Test (FRVT). www.frvt.org<br />
Version 2 – Summer 2008
<strong>Biometric</strong> <strong>Technology</strong> <strong>Application</strong> <strong>Manual</strong> Section 6 39<br />
tion Grand Challenge (FRGC) are achieved.<br />
The Face Recognition Grand Challenge (FRGC) is an independent<br />
algorithm development project designed to<br />
promote and advance facial recognition technology for<br />
existing facial recognition activities in the U.S. government.<br />
According to the FRGC website, 68 the main goal of the<br />
FRGC is to promote and advance face recognition technology<br />
to support existing face recognition efforts in the<br />
U.S. government. FRGC will develop new face recognition<br />
techniques and develop prototype systems while<br />
increasing performance by an order of magnitude.<br />
Iris Challenge Evaluation (ICE) 2005-2006<br />
From August 2005 to March 2006, NIST conducted and<br />
managed the Iris Challenge Evaluation. This program<br />
consisted of an iris recognition challenge problem that<br />
was distributed to potential challenge participants’ consisting<br />
of two phases. The first phase was ICE 2005, concerning<br />
iris recognition technology development. According<br />
to the ICE web site, the primary goal of ICE 2005<br />
was to promote and advance iris recognition technology<br />
that supports existing iris recognition efforts by the U.S.<br />
government.<br />
This was followed in July 2006 by ICE 2006. The goal of<br />
ICE 2006 was to determine the state-of-the-art capability<br />
of automatic iris recognition technology and to establish<br />
68 Face Recognition Grand Challenge (FRGC). www.frvt.org/frgc<br />
69 Iris Challenge Evaluation (ICE) http://iris.nist.gov/ice/<br />
Version 2 – Summer 2008
Section 6 40 Testing and Evaluation<br />
a performance baseline against which to measure future<br />
progress. The results were published in March 2007 and<br />
are available from NIST.<br />
Multiple <strong>Biometric</strong> Grand Challenge<br />
In April 2008, NIST initiated the Multiple <strong>Biometric</strong> Grand<br />
Challenge (MBGC) to address areas of concern identified<br />
in previous challenges. According to the MBGC web site,<br />
the primary goal of the MBGC is to investigate, test, and<br />
improve performance of face and iris recognition technology<br />
- including still and video imagery - through a<br />
series of challenge problems and evaluation. The MBGC<br />
seeks to reach this goal through several technology development<br />
areas:<br />
•<br />
•<br />
•<br />
•<br />
•<br />
•<br />
Face recognition on still frontal, real-world high and<br />
low resolution imagery<br />
Iris recognition from video sequences and off-angle<br />
images<br />
Fusion of face and iris (at score and image levels)<br />
Unconstrained face recognition from still and video<br />
Recognition from Near Infrared (NIR) and High Definition<br />
(HD) video streams taken through portals<br />
Unconstrained face recognition from still and video<br />
Version 2 – Summer 2008
<strong>Biometric</strong> <strong>Technology</strong> <strong>Application</strong> <strong>Manual</strong> Section 6 41<br />
Testing Organizations<br />
There are several national and international testing organizations<br />
that are recognized for their activities in biometric<br />
testing. These include, but are not limited to:<br />
•<br />
National Institute of Standards and <strong>Technology</strong><br />
(NIST) - the research arm of the U.S. Department<br />
of Commerce conducts biometric system tests using<br />
some of the largest fingerprint databases in the world<br />
and generally focuses on fingerprint, facial, and iris<br />
testing on a large scale. Most of NIST’s test results are<br />
available to the public, although tests that are run on<br />
deployed systems (such as the FBI’s IAFIS system) are<br />
classified due to national security concerns.<br />
The U.S. PATRIOT Act requires NIST to work with the<br />
Departments of State and Justice to examine entry<br />
and exit procedures at U.S. border crossings. NIST<br />
also runs tests related to the US-VISIT program that<br />
requires visitors to the United States to either carry<br />
a passport with biometric identifiers or to be fingerprinted<br />
upon entering the country. NIST laboratories<br />
are located in Gaithersburg, Maryland.<br />
• <strong>Biometric</strong> Services International, LLC - BSI, located<br />
in Morgantown, West Virginia, is an independent nonprofit<br />
organization that consolidates NBSP’s testing,<br />
training, research, and technical consulting functions<br />
into a dedicated operating location and facility. BSI<br />
performs biometric technology-specific applications<br />
and operations testing in both an independent and<br />
client directed test program. The program includes<br />
product testing, standards compliance testing, and<br />
Version 2 – Summer 2008
Section 6 42 Testing and Evaluation<br />
special client test efforts. NBSP/BSI have developed a<br />
testing protocol, including a set of common or general<br />
testing criteria, to evaluate commercially available<br />
biometric products for potential inclusion on a general<br />
Qualified Products List (QPL). BSI is currently the<br />
only facility exclusively dedicated to biometrics that<br />
has achieved ISO/IEC 17025 accreditation for testing<br />
laboratories. By holding accreditation to this standard,<br />
it assures customers that BSI maintains a superior<br />
Quality Management System.<br />
• National Physical Laboratory (NPL) - NPL is the<br />
UK equivalent to NIST. Established in 1996, the NPL<br />
performs technology, application specific, and operational<br />
testing programs, comparing real-world performance<br />
to claims by biometric vendors. NPL also<br />
provides consulting services for organizations looking<br />
to implement a biometric strategy. The organization<br />
is known for developing test methodologies<br />
for biometric testing. While many of the NPL’s test<br />
results are made public, some are not. NPL receives<br />
some government funds, but the bulk of its biometric<br />
testing is paid for by private companies, such as<br />
systems integrators.<br />
•<br />
U.S. Department of Defense <strong>Biometric</strong>s Fusion<br />
Center (BFC) - the U.S. Army organization that is the<br />
DoD executive for biometric technology application.<br />
The BFC, located in Fairmont, West Virginia, performs<br />
several types of tests on biometric technologies, including<br />
product assessments to verify vendor claims,<br />
specific application and field-testing to determine<br />
the feasibility of biometric systems, and controlled<br />
assessment tests to check biometric performance in<br />
laboratory environments. Their customers are gen-<br />
Version 2 – Summer 2008
<strong>Biometric</strong> <strong>Technology</strong> <strong>Application</strong> <strong>Manual</strong> Section 6 43<br />
erally United States defense organizations. Test results<br />
are not normally published.<br />
BFC’s primary goal is to determine whether certain<br />
biometric systems are appropriate for military use.<br />
Test results are made available to government and<br />
military officials, but not to the general public.<br />
• Sandia National Laboratory - is a United States<br />
national lab that develops and tests science-based<br />
technology in support of national security interests.<br />
Sandia conducts various research and technology<br />
testing and results are generally not published. Sandia<br />
is a Government-Owned, Contractor-Operated<br />
(GOCO) facility based in Albuquerque, New Mexico.<br />
Lockheed Martin manages Sandia for the U.S. Department<br />
of Energy’s Nuclear Security Administration.<br />
• U.S. Army Research Lab (ARL) - created the highly<br />
respected Facial Recognition <strong>Technology</strong> (FERET)<br />
program, which was later taken over by NIST. ARL<br />
performs testing for various biometric-based products<br />
and systems that are directly related to military<br />
applications.<br />
• TNO TPD - is a division of the independent Netherlands<br />
Organization for Applied Scientific Research.<br />
This Netherlands-based group conducts biometrics<br />
research and testing and provides consulting services.<br />
The organization has tested facial recognition<br />
systems’ viability for passport applications.<br />
TNO is financed primarily through contract research<br />
for clients, including government and industry. Test<br />
results are typically not public, but qualified passport<br />
Version 2 – Summer 2008
Section 6 44 Testing and Evaluation<br />
or ID-issuring agencies can request results information.<br />
TNO participates in the European <strong>Biometric</strong>s<br />
Forum (EBF), part of the European Commission’s Biovision<br />
project to provide a roadmap for biometric systems<br />
through 2010.<br />
• The <strong>Biometric</strong>s <strong>Technology</strong> Center, China - is supported<br />
by the Hong Kong Government at Hong Kong<br />
Polytechnic University to perform research on integrated<br />
biometric technologies. The center aims to:<br />
–<br />
–<br />
–<br />
Transfer multiple biometric technologies from<br />
university to industry<br />
Provide a biometrics knowledge base for industry<br />
and technological advancement<br />
Explore integrated biometric solutions to practical<br />
industrial applications.<br />
• University of Buffalo (NY) - Center for Unified<br />
<strong>Biometric</strong>s and Sensors (CUBS) was developed to advance<br />
the science of biometrics to provide key enabling<br />
technologies to build engineering systems<br />
with a focus on homeland security applications. The<br />
center enables development of new biometric technologies<br />
from proof-of-concept to product readiness,<br />
including usability studies and educational outreach<br />
to evaluate and mitigate any ethical and legal<br />
concerns.<br />
• Michigan State University (MSU)<br />
- has conducted<br />
research of fingerprint, facial recognition, and hand<br />
geometry biometric technologies. Their test reports<br />
are published and publicly available.<br />
Version 2 – Summer 2008
<strong>Biometric</strong> <strong>Technology</strong> <strong>Application</strong> <strong>Manual</strong> Section 6 45<br />
•<br />
University of Bologna (Italy) - <strong>Biometric</strong> Systems<br />
Laboratory - develops biometric systems and works<br />
with industry to test research results in specific applications.<br />
It is primarily focused on fingerprint technology.<br />
• Fingerprint Verification Competition (FVC) - is<br />
a university-based test organized by biometric researchers<br />
at the University of Bologna and is operated<br />
in conjunction with San Jose State University<br />
and Michigan State University. This test tracks recent<br />
advances in fingerprint verification to establish a<br />
benchmark for allowing systems developers to compete<br />
on a level playing field. The competition is a predominantly<br />
lab-based, and the fingerprint databases<br />
were not collected in a real-world environment. The<br />
competition, however, is still helpful and valuable as<br />
it assists software developers and vendors in improving<br />
their fingerprint algorithms.<br />
• University of Edinburgh (Scotland) - has performed<br />
tests of speech related biometrics. One test in particular<br />
examined security specific to banking applications.<br />
• The West Virginia University (WVU) - While WVU<br />
does not operate a regular testing program on<br />
biometrics, it is the only known academic institution<br />
at a senior level offering a degree program in biometric<br />
systems.<br />
Other universities with growing academic and research<br />
programs in biometrics include: Massachusetts Institute<br />
of <strong>Technology</strong>, University of Pennsylvania, University of<br />
Maryland, Carnegie Mellon University, University of California<br />
San Diego, University of Notre Dame,<br />
Version 2 – Summer 2008
Section 6 46 Testing and Evaluation<br />
Purdue University, Johns Hopkins University and the U.S.<br />
Naval Academy.<br />
There are also a number of commercial organizations<br />
with biometric research and testing capabilities. These<br />
include Noblis and the International <strong>Biometric</strong>s Group.<br />
• Noblis <strong>Biometric</strong>s Lab - was established to support<br />
government evaluation and application of biometric<br />
technologies. The lab supports development of biometric<br />
technology demonstrations, design of prototypes,<br />
and objective performance tests. <strong>Application</strong>s<br />
address personal identification and authentication<br />
with respect to physical and logical access control<br />
and information security. Although the lab’s primary<br />
focus is biometrics, it also supports the investigation<br />
and integration of complementary technologies,<br />
such as smart cards and data encryption.<br />
• International <strong>Biometric</strong>s Group (IBG) - is a New<br />
York-based, for-fee, testing house and consultancy<br />
that conducts product tests that illustrate how biometric<br />
technologies may perform in the field. IBG<br />
has been testing and comparing biometrics since<br />
1998, with clients from both the public and private<br />
sectors. IBG performs “scenario testing” in which live<br />
subjects are enrolled in a biometrics test, as well as<br />
the algorithm testing that was described earlier in<br />
this section.<br />
Version 2 – Summer 2008
<strong>Biometric</strong> <strong>Technology</strong> <strong>Application</strong> <strong>Manual</strong> Section 7 1<br />
Section 7: <strong>Biometric</strong> Social and Cultural<br />
Implications<br />
The impact, both real and perceived, of the expanded<br />
use of biometric technology on any society is not insignificant.<br />
At best, the technology represents a tremendous<br />
benefit for national/public security, individual security,<br />
and personal identity protection. This section addresses<br />
the social issues in three parts. First, in Section 7.1, the<br />
legal basis for use of the technology is examined. In Section<br />
7.2, the focus is on privacy issues and implications.<br />
Finally, in Section 7.3, consideration is given to the public<br />
acceptance and obstacles to proper use of the technology.<br />
Section 7, Part I: Societal Issues—Legal<br />
Considerations and Implications<br />
Disclaimer: The legal considerations and issues presented<br />
in this section do not constitute legal advice or counsel<br />
and must not be construed as serving that purpose. They<br />
are intended to alert the reader to current primary issues<br />
regarding the use of biometrics under United States laws,<br />
the U.S. legal system, and selected non-U.S. references.<br />
Background<br />
The handling of personal information by the government<br />
or a private institution raises the sensitive issue of individual<br />
privacy and there are numerous laws and regulations<br />
that are or may be applicable. For the purpose of<br />
Version 2 – Summer 2008
Section 7 2 <strong>Biometric</strong> Social and Cultural Implications<br />
this discussion, it should suffice to recognize that these<br />
laws and regulations rest on four fairness concerns: notice,<br />
choice, access, and safeguards. 70<br />
Notice should allow people to know what personal information<br />
is being collected by the government or any private<br />
sector group, how it is being used, and with whom<br />
it might be shared. Choice should allow people to decide<br />
whether to give the information, to what extent it will<br />
be used, and to whom it will be given. Access should allow<br />
people to know what information the government<br />
or other organization has about them and allow them to<br />
correct it. Finally, the safeguarding of this information<br />
should be sufficient to meet a reasonable standard for<br />
data security.<br />
When evaluating and designing a biometric-based system<br />
for use in either government or private sector applications,<br />
there are several key questions that should be<br />
asked and considered. These include 71 :<br />
•<br />
•<br />
•<br />
•<br />
Can the biometric system be narrowly tailored to its<br />
task?<br />
Who will oversee the program?<br />
What alternatives are there to biometric technologies?<br />
What information will be stored and in what form?<br />
70 Privacy Online: Fair Information Practices in the Electronic Market-<br />
place. Federal Trade Commission. May 2000, p. iii.<br />
71 <strong>Biometric</strong> <strong>Technology</strong>: Security, Legal, and Policy Implications. Legal<br />
Memorandum #12. Paul Rosenzweig, Alane Kochems, and Ari Schwartz.<br />
The Heritage Foundation. June 2004. Used with permission.<br />
Version 2 – Summer 2008
<strong>Biometric</strong> <strong>Technology</strong> <strong>Application</strong> <strong>Manual</strong> Section 7 3<br />
•<br />
•<br />
•<br />
•<br />
•<br />
•<br />
•<br />
•<br />
•<br />
•<br />
•<br />
•<br />
To what facility/location will the biometric give<br />
access?<br />
Will the original biometric material be retained?<br />
Will biometric data be kept separately from other<br />
identifying personal information?<br />
Who will have access to the information?<br />
How will access to the information be controlled?<br />
How will the system ensure accuracy?<br />
Will data be aggregated across databases?<br />
If information is stored in a database, how will it be<br />
protected?<br />
Who will make sure that program administrators are<br />
responsive to privacy concerns?<br />
Can people remove themselves from a database voluntarily?<br />
How will consistency between data collected at multiple<br />
sites be maintained?<br />
If there is a choice, will people be informed of optional<br />
v. mandatory enrollment alternatives?<br />
<strong>Biometric</strong> technology has substantial potential to improve<br />
security—public, private, and national—by providing a<br />
means to identify and verify people in many contexts. In<br />
many circumstances, this use will provide a substantially<br />
higher level of security beyond the current means of<br />
Version 2 – Summer 2008
Section 7 4 <strong>Biometric</strong> Social and Cultural Implications<br />
identification. This will be of special utility in controlling<br />
access to areas where security risks are especially high—<br />
airport tarmacs, critical infrastructure facilities, etc.<br />
As with all new technologies, however, there is potential<br />
for abuse. Thus, there is a legitimate public concern that<br />
biometric technology could be misused to invade or violate<br />
personal privacy or other civil liberties. Some of the<br />
fears surrounding biometric information are that it could<br />
be:<br />
•<br />
•<br />
•<br />
•<br />
Gathered without permission, knowledge, or clearly<br />
defined reasons<br />
Used for a multitude of purposes other than the one<br />
for which it was initially gathered (function creep or<br />
mission creep)<br />
Disseminated without expressed permission from<br />
the biometric feature “owner”<br />
Used to learn about people for surveillance or social<br />
control purposes<br />
There are also concerns about tracking, which is realtime<br />
or near-real-time surveillance of an individual and<br />
profiling, where a person’s past activities are reconstructed.<br />
Both of these would destroy a person’s anonymity.<br />
Identity fraud and theft are major issues, too.<br />
In properly determining how best to enhance both<br />
civil liberty and security, it is useful to have some basic<br />
principles for assessing use of a particular biometric<br />
technology. Generally, and with specific requirements<br />
for special exceptions, such a code of principles should<br />
include:<br />
Version 2 – Summer 2008
<strong>Biometric</strong> <strong>Technology</strong> <strong>Application</strong> <strong>Manual</strong> Section 7 5<br />
•<br />
•<br />
•<br />
•<br />
•<br />
Enrollment in biometric systems should be overt instead<br />
of covert. Before one is enrolled in a biometricbased<br />
program, he/she should be made aware of the<br />
enrollment.<br />
<strong>Biometric</strong> systems should, when possible, be designed<br />
to operate with local, segmented, or distributed<br />
storage of data (for example, on smart cards)<br />
rather than in a central storage database. Centralized<br />
storage of biometric data increases security requirements<br />
and needs additional protection against<br />
function or mission creep. For some biometric technologies<br />
and national or special applications, local<br />
storage may not be feasible or practical.<br />
It would be preferred to have a biometric-based system<br />
that is “opt-in” and requires a person to consent<br />
rather than those that are mandatory. This does not<br />
mean that requiring someone to opt-in cannot be<br />
made a condition of participation, (for example, if a<br />
person wants to enter the United States he/she must<br />
provide a biometric) since participation is ultimately<br />
voluntary. Additionally, certain biometric applications<br />
(e.g., DNA for convicted terrorists and criminals)<br />
may need to be mandatory).<br />
For privacy and security reasons, one should prefer<br />
biometric systems that reduce the biometric to a<br />
template or reference, rather than maintaining a<br />
stored image. Generically, references are harder to<br />
falsify. However, the decision will depend on the<br />
application.<br />
Where feasible, biometric systems should consider<br />
the use of a form of verified pseudonymity, where<br />
the authorization for use by the identified individual<br />
Version 2 – Summer 2008
Section 7 6 <strong>Biometric</strong> Social and Cultural Implications<br />
•<br />
•<br />
•<br />
is conveyed while the identity is concealed unless<br />
and until suitable authorization for “piercing the veil<br />
of anonymity” is received.<br />
Any biometric system should have strong audit and<br />
oversight programs to prevent misuse. The Privacy<br />
Act of 1974 addresses some of these concerns since<br />
it limits the ability of federal agencies to collect, use,<br />
or disclose personal information like biometric data.<br />
There are, however, exceptions for national security<br />
and law enforcement purposes. Recourse to these<br />
exceptions should be well-documented and subject<br />
to periodic review.<br />
Any biometric system is only as strong as the initial<br />
enrollment. An ideal way to evade biometric detection<br />
is to be improperly registered as a legitimate<br />
user. In conjunction with the deployment of any<br />
new biometric system, one must take care to monitor,<br />
audit, and periodically test the enrollment process.<br />
Enrolled data should also be subject to routine<br />
secondary review to identify those mistakenly enrolled<br />
in the first instance.<br />
Similarly, a biometric system is only as strong as its<br />
back-up alternative. The principle of layered security<br />
requires that those implementing biometric identification<br />
systems have in place a suitable secondary<br />
identification system for use when the primary biometric<br />
system fails or provides an inconclusive result.<br />
It will not do, for example, for the back-up to a<br />
biometric system to be a simple, insecure, signature<br />
verification.<br />
Version 2 – Summer 2008
<strong>Biometric</strong> <strong>Technology</strong> <strong>Application</strong> <strong>Manual</strong> Section 7 7<br />
U.S. citizens—as well as citizens of other countries—value<br />
their privacy and autonomy. These rights are the very<br />
concepts and beliefs the United States was founded on.<br />
Given our increasing need for more fool-proof and accurate<br />
(and convenient) methods of identification, how can<br />
the need for increased security and accurate identification<br />
be best balanced to protect an enhance privacy? A challenge<br />
is presented in how technologies like biometrics<br />
can be used to provide security, while preserving privacy<br />
and personal freedom.<br />
For background, it should be noted that there are four<br />
types of organizations covered by the laws pertaining to<br />
the collection, maintenance, use, and storage of personal<br />
data. They are:<br />
1.<br />
2.<br />
3.<br />
4.<br />
Federal government agencies and their contractors;<br />
Federal government agencies involved in intelligence<br />
gathering or law enforcement and their contractors;<br />
Private organizations that receive federal funding,<br />
and<br />
Private organizations that do not receive federal<br />
funding.<br />
Federal government agencies and their contractors are<br />
subject to the strictest rules with respect to the collection,<br />
maintenance, use, and storage of personal data. Private<br />
organizations supported by federal funding are subject<br />
to most but not all of the rules.<br />
Data used by federal government agencies for intelligence<br />
gathering or for law enforcement purposes have certain<br />
Version 2 – Summer 2008
Section 7 8 <strong>Biometric</strong> Social and Cultural Implications<br />
exemptions under the laws and regulations, but are also<br />
required to comply with special directives or orders that<br />
apply only to that community and its contractors. Private<br />
organizations with no federal funding are currently not legally<br />
restricted in collecting, maintaining, using, and storing<br />
biometric data. 72 However, with regard to the latter, it<br />
would be prudent to exercise reasonable care similar to<br />
the requirements that apply to others.<br />
U.S. Law and Implications<br />
U.S. Constitutional Amendments<br />
U.S. citizens’ rights to privacy—to due process and preventing<br />
unreasonable search and seizure—is inherent in<br />
the following Constitutional Amendments:<br />
• Fourth Amendment—The<br />
right of the people to be<br />
secure in their persons, houses, papers, and effects,<br />
against unreasonable searches and seizures, shall not<br />
be violated; and no warrants shall issue, but upon<br />
probable cause, supported by oath or affirmation, and<br />
particularly describing the place to be searched and<br />
the persons or things to be seized.<br />
• Fifth Amendment—No<br />
person shall be held to answer<br />
for a capital, or otherwise infamous, crime, unless<br />
on a presentment or indictment of a grand jury,<br />
except in cases arising in the land or naval forces, or<br />
in the militia, when in actual service, in time of war,<br />
80 Facial recognition technology has been used in casinos for years.<br />
This unimpeded use of biometric information by the private sector<br />
could change in the near future. For example, see California Bill SB-<br />
169 introduced in 2001.<br />
Version 2 – Summer 2008
<strong>Biometric</strong> <strong>Technology</strong> <strong>Application</strong> <strong>Manual</strong> Section 7 9<br />
or public danger; nor shall any person be subject, for<br />
the same offense to be twice put in jeopardy of life or<br />
limb; nor shall any person be compelled, in any criminal<br />
case, to be a witness against himself, nor be deprived<br />
of life, liberty, or property, without due process<br />
of law; nor shall private property be taken for public<br />
use, without just compensation.<br />
• Fourteenth Amendment—Section<br />
1. All persons born<br />
or naturalized in the United States, and subject to the<br />
jurisdiction thereof, are citizens of the United States<br />
and of the State wherein they reside. No State shall<br />
make or enforce any law which shall abridge the privileges<br />
or immunities of citizens of the United States;<br />
nor shall any State deprive any person of life, liberty,<br />
or property without due process of law, nor deny any<br />
person within its jurisdiction the equal protection of<br />
the law.<br />
Du E pR O C E s s 73<br />
The concept of due process requires the United States<br />
government to fulfill its obligations with reason, consideration,<br />
and fairness. It is the government’s duty to provide<br />
eligible citizens with certain rights and privileges. If<br />
a government agency is going to deem a person ineligible<br />
and unqualified for these privileges, the reasons must<br />
be substantiated, and the citizen must be given an opportunity<br />
to appeal. The method used for appealing ineligibility<br />
is called a pre-termination or predetermination<br />
hearing, which occurs prior to the actual suspension of<br />
73 Portions adapted from <strong>Biometric</strong> <strong>Application</strong>s: Legal and Societal Considerations.<br />
National <strong>Biometric</strong> Test Center. San Jose State University.<br />
Adapted from a presentation by Dr. Kenneth P. Nuger of SJSU Political<br />
Science Dept. Used with permission from James Wayman.<br />
Version 2 – Summer 2008
Section 7 10 <strong>Biometric</strong> Social and Cultural Implications<br />
rights and privileges.<br />
There have been instances when the government has<br />
denied rights without providing a hearing and, because<br />
it was justified as in the interests of public safety, it was<br />
ruled that due process had not been violated. Such cases<br />
include the seizing of mislabeled vitamins 74 and spoiled<br />
food 75 and denying employment to a cook in a defense<br />
contractor’s plant. 76<br />
However, in the case Goldberg v. Kelly, 85 the Supreme<br />
Court determined that pre-termination hearings were<br />
required prior to denying a person Aid to Families with<br />
Dependent Children (AFDC) payments. Since that ruling<br />
in 1970, hearings have become a precedent for meeting<br />
the terms of due process.<br />
In addition to due process, the issue of information accuracy<br />
must also be considered in the use of biometricbased<br />
systems. Case law illustrates that government decisions<br />
based on inaccurate data or flawed procedures<br />
are unconstitutional. 78 Decisions to deny or allow access<br />
or privileges that are based on faulty or inaccurate information<br />
will be subject to criticism and recall. Not only<br />
will the accuracy of the biometric system be questioned,<br />
74 Ewing v. Mytinger and Casselberry, Inc., 339 U.S. 594 (1950).<br />
75 North American Cold Storage Company v. Chicago, 211 U.S.<br />
306 (1908).<br />
76 Cafeteria and Restaurant Workers Union v. McElroy, 367 U.S.<br />
886 (1961).<br />
77 Goldberg v. Kelly, 397 U.S. 254 (1970).<br />
78 For example, many drug testing cases during the 1980s, before the<br />
United States Supreme Court decided Von Raab, overturned employee<br />
dismissals whose drug tests turned up positive because early urinalysis<br />
testing approached only a 95%-99% accuracy range.<br />
Version 2 – Summer 2008
<strong>Biometric</strong> <strong>Technology</strong> <strong>Application</strong> <strong>Manual</strong> Section 7 11<br />
but so will its reason for being, operational procedures,<br />
user training, and all other aspects surrounding the biometric.<br />
If improper system implementation, poor training,<br />
or an error in the biometric system itself, results in a<br />
person being falsely denied entry into a country, for example,<br />
courts may determine that due process has been<br />
violated.<br />
There are major legal implications and issues for the use<br />
of biometrics in both public and private applications.<br />
Agencies and companies will have to train their personnel<br />
to use the biometric system(s) in the proper manner,<br />
as well as establish procedures for system implementation,<br />
use, maintenance, identity authentication (see section<br />
on Breeder Documents), and accommodating grievances.<br />
Legal issues related to due process may not be as numerous<br />
as those related to privacy (see Section 7, Part II: Privacy<br />
Considerations and Implications). The privacy rights<br />
rooted in the 4th, 5th, and 14th Amendments will continually<br />
come up for debate as more applications for biometric<br />
technologies are proposed and implemented. An<br />
important consideration for those designing, implementing,<br />
and using biometric-based systems, as biometrics<br />
are further developed and enhanced, is their level of intrusiveness.<br />
fO u R t h am E n D m E n t Ex a m p l E 79<br />
In the Supreme Court case Katz v. United States 80 the<br />
79 Portions adapted from <strong>Biometric</strong> <strong>Application</strong>s: Legal and Societal<br />
Considerations. National <strong>Biometric</strong> Test Center. San Jose State University.<br />
Adapted from a presentation by Dr. Kenneth P. Nuger of SJSU Political<br />
Science Dept. Used with permission from James Wayman.<br />
80 Katz v. United States, 389 U.S. 347 (1967).<br />
Version 2 – Summer 2008
Section 7 12 <strong>Biometric</strong> Social and Cultural Implications<br />
court interpreted that the Fourth Amendment protects<br />
people, but not places, meaning, wherever a person has<br />
a reasonable expectation of privacy, he/she is entitled to<br />
be free from unreasonable government intrusion. However,<br />
there are times when the government has justifiably<br />
set aside a person’s Fourth Amendment rights in the<br />
interest of public safety.<br />
In the case of fingerprinting or drug testing, these collections<br />
of biometric features or specimens can be<br />
considered a “search.” Such activities are done when<br />
a person is suspected of wrong-doing. It is likely that<br />
eventually some latitude may be given for biometric<br />
applications, as it has been given for drug testing.<br />
For example, a situation where the concept of “suspicionless<br />
search” was given latitude was in the case National<br />
Treasury Employees Union v. Von Raab, 81 where<br />
the court allowed drug testing on large groups of federal<br />
employees, even if none were suspected of drug<br />
use. This is called “suspicionless search.” Prior to the<br />
Michigan v. Sitz 82 case in 1990, which involved sobriety<br />
checkpoints, suspicionless search was reserved for non-<br />
criminal searches. In Sitz, the Supreme Court allowed<br />
data from these random sobriety checkpoints to be used<br />
to link an individual to a crime, expanding suspicionless<br />
searches to criminal searches.<br />
82 National Treasury Employees Union v. Von Raab. 489 U.S. 656 (1989).<br />
82 Michigan v. Sitz. 494 U.S. 444 (1990).<br />
Version 2 – Summer 2008
<strong>Biometric</strong> <strong>Technology</strong> <strong>Application</strong> <strong>Manual</strong> Section 7 13<br />
fi f t h am E n D m E n t Ex a m p l E 83<br />
The Fifth Amendment protection from self-incrimination<br />
has been expanded to include both criminal proceedings<br />
and non-criminal procedures that might result in criminal<br />
prosecution. The Fifth Amendment includes: “No person<br />
. . . shall be compelled in any criminal case to be a witness<br />
against himself.”<br />
<strong>Biometric</strong> reference collection methods could be considered<br />
controversial, particularly those already considered<br />
intrusive. An example of non-intrusive sample-taking is<br />
featured in the 1957 Breithraupt v. Abram 84 case. In this<br />
case, a blood sample was taken from an unconscious<br />
suspect involved in a deadly car accident. The court ruled<br />
that this evidence was admissible because blood samples,<br />
like fingerprinting and urine samples, are commonplace,<br />
relatively non-intrusive, and acceptable to society.<br />
In another case, Schmerber v. California, 85 it was reiterated<br />
in 1966 that forced writing, speaking, fingerprinting,<br />
and walking or gesturing could be used for identification<br />
in court. Perkey v. Department of Motor Vehicles 86 was<br />
a civil case dealing with issuing drivers licenses. In this<br />
case, the court upheld that since fingerprinting did not<br />
penetrate the skin, it did not violate personal dignity or<br />
privacy rights. [There are a number of U.S. states currently<br />
incorporating fingerprint- or other biometric-based<br />
83 Portions adapted from <strong>Biometric</strong> <strong>Application</strong>s: Legal and Societal Considerations.<br />
National <strong>Biometric</strong> Test Center. San Jose State University.<br />
Adapted from a presentation by Dr. Kenneth P. Nuger of SJSU Political<br />
Science Dept. Used with permission from James Wayman.<br />
84 Breithraupt v. Abram. 352 U.S. 432 (1957).<br />
85 Schmerber v. California. 384 U.S. 757 (1966).<br />
86 Perkey v. Department of Motor Vehicles. 721 P.2d. 50 (Cal. App. 1986).<br />
Version 2 – Summer 2008
Section 7 14 <strong>Biometric</strong> Social and Cultural Implications<br />
driver licensing programs. For further information, see<br />
BTAM Volume 2: Section 12: U.S. State and Regional <strong>Application</strong>s.]<br />
Given the rulings in these examples, it can be assumed<br />
that biometric features will be treated similarly since<br />
most biometric systems use what are generally considered<br />
to be day-to-day and “socially acceptable” actions,<br />
like submitting a fingerprint or handwriting sample.<br />
Impact on Civil Liberties 87<br />
Much attention has been focused on airline passenger<br />
identification since the September 11, 2001, terrorist attacks.<br />
Boston’s Logan Airport was the access point for<br />
several hijackers. Would a working facial recognition or<br />
other biometric-based system have successfully warned<br />
officials about these terrorists? What is the impact of<br />
such a working system on “regular people” whose faces<br />
or features are also scanned through the system, whether<br />
covertly or overtly? Some believe that an identification<br />
system based on facial recognition technology in a<br />
surveillance application, for example, can pose several<br />
threats to civil liberties, if not implemented carefully.<br />
Any potential privacy threats to, or false accusations of,<br />
innocent people must be minimized.<br />
As presented throughout this volume, the degree<br />
of similarity between biometric templates/<br />
references that is required for a positive match depends<br />
on the decision threshold (false accept and false reject<br />
ratio), which is defined by the system owner. A high se-<br />
87 Portions adapted from <strong>Biometric</strong>s and the Threat to Civil Liberties. IEEE<br />
Computer magazine. ® April 2004 IEEE. Used with permission.<br />
Version 2 – Summer 2008
<strong>Biometric</strong> <strong>Technology</strong> <strong>Application</strong> <strong>Manual</strong> Section 7 15<br />
curity level—low or no false accepts and/or high or many<br />
false rejects—could cause otherwise innocent people<br />
to be inconvenienced or falsely accused. Or, the system<br />
could be set for low security, potentially allowing wrongdoers<br />
to get through or escape the system. Privacy implications<br />
for the biometric system users (i.e., passengers in<br />
this example) are directly correlated to the security sensitivity<br />
settings (decision threshold parameters) of the biometric<br />
system being used.<br />
Another important civil liberty issue involves the potential<br />
for biometric systems to locate and physically track<br />
airline passengers. Covert instead of overt “scanning”<br />
and tracking of passengers as they move through and<br />
between airports could lead to civil liberties concerns<br />
and challenges. As was presented earlier, the Fourth<br />
Amendment protects U.S. citizens against illegal searches<br />
and seizures by the U.S. government. Article 12 of the<br />
United Nation’s Universal Declaration of Human Rights,<br />
adopted in 1948, guards against unqualified or unjustified<br />
interference with a person’s home, family, or privacy.<br />
Use of a covert facial recognition system at an airport, for<br />
example, may be considered a civil liberties violation, depending<br />
on the nature of data collected, how it is used,<br />
and how/where it is stored.<br />
In this or any other application, how and where to store<br />
the collected biometric data must be carefully considered,<br />
since it is common practice to store biometric data<br />
for an extended period of time after the initial enrollment<br />
references are collected. If an unfortunate event should<br />
occur, the biometric data could be helpful in an investigation.<br />
Decisions must be made regarding data accessibility,<br />
security, and data organization, defining who can<br />
access the data, how it can be used, and how and when<br />
biometric data will be destroyed. Implementing a large-<br />
Version 2 – Summer 2008
Section 7 16 <strong>Biometric</strong> Social and Cultural Implications<br />
scale biometric system requires a series of critical technical<br />
decisions concerning security and database safeguards.<br />
Many of these decisions can affect civil liberties.<br />
Implications for Federal Agencies<br />
Federal agencies and their contractors may only collect<br />
or compile information regarding individuals necessary<br />
for the proper performance of its functions and which<br />
has practical utility and are required to obtain permission<br />
for collecting personally identifiable information<br />
that will be stored in a system of records. For example,<br />
a federal agency may scan the faces in a crowd for a<br />
match with a face on file without getting anybody in the<br />
crowd’s permission, if the information gathered from the<br />
crowd is discarded and not stored. 88 When permission<br />
is required for research with human subjects it must include<br />
informed consent. Informed consent can only be<br />
given under circumstances that:<br />
1.<br />
2.<br />
Provide the prospective subject sufficient opportunity<br />
to consider whether or not to participate in the<br />
project, and<br />
Minimize the possibility of coercion or undue<br />
influence.<br />
88 This requirement comes from the Privacy Act and it hinges on the interpretation<br />
of the Act’s use of the word “record.” The courts have not yet<br />
provided an exact interpretation. For purposes of this report, the broadest<br />
interpretation is being accommodated, i.e., any stored biometric is<br />
a record. A tighter interpretation, e.g., the biometric must be linked to<br />
one’s social security number or name, would allow the information from<br />
the crowd scan to be kept in the above example.<br />
Version 2 – Summer 2008
<strong>Biometric</strong> <strong>Technology</strong> <strong>Application</strong> <strong>Manual</strong> Section 7 17<br />
The information regarding the project and the consent<br />
that is given to the subject shall be in language understandable<br />
to the subject. Informed consent cannot include<br />
exculpatory language where the subject is required<br />
to waive or appear to waive any of his/her legal<br />
rights, or releases or appears to release the investigator,<br />
the sponsor, the institution or its agents from liability for<br />
negligence. 89 Consent must be recorded in writing and<br />
signed by the subject. Consent forms must include notice<br />
of The Privacy Act of 1974 (the “Privacy Act”), the applicant’s<br />
rights under the Privacy Act, how the information<br />
collected will be routinely used, the authority for<br />
the collection, and the consequences to the applicant of<br />
not providing the requested information, if any. 90 When<br />
agencies collect personal information, they are required<br />
to provide a notice in the Federal Register that includes<br />
certain information, such as the name and location of the<br />
system of records, categories of individuals in the system,<br />
and routine uses of the information. 91<br />
89 These are the general requirements for informed consent for human<br />
testing by a government agency. Language taken from the Code of Federal<br />
Regulations, 45 CFR §46.116. <strong>Biometric</strong> testing falls under 45 CFR<br />
46 pursuant to §46.101 and §46.102(f).<br />
90 Language taken from the United States General Accounting Office’s<br />
Information Management: Selected Agencies’ Handling of Personal Information,<br />
(GAO-02-1058), Sep. 2002, p. 47, authority taken from The Privacy<br />
Act of 1974, 5 USC §552a(e)(3).<br />
91 Language taken from the United States General Accounting Office’s<br />
Information Management: Selected Agencies’ Handling of Personal Information,<br />
(GAO-02-1058), Sep. 2002, p. 47.<br />
Version 2 – Summer 2008
Section 7 18 <strong>Biometric</strong> Social and Cultural Implications<br />
International Considerations<br />
OECD Guidelines<br />
The OECD 92 is an international organization of countries<br />
that creates a forum for its member states to “discuss, develop,<br />
and refine economic and social policies,” which often<br />
lead to agreements and treaties (both binding and<br />
non-binding) among countries with regard to domestic<br />
and international policies and cooperation with respect<br />
to a multitude of issues. 93 There are currently 30 member<br />
states. Non-member countries are also invited to subscribe<br />
to OECD agreements and treaties.<br />
On September 23, 1980, the OECD issued its Guidelines<br />
on the Protection of Privacy and Trans-border Flows of<br />
Personal Data, or OECD Guidelines. These guidelines,<br />
which are non-binding, lay out eight principles of privacy<br />
and recommend that member countries take these<br />
principles into account when implementing domestic<br />
policies regarding the flow of personal data. These privacy<br />
principles have subsequently emerged as a universal<br />
foundation for the formulation of national privacy<br />
legislation and can be found in the privacy laws of many<br />
countries. The eight principles are provided in Section<br />
7.2.<br />
EU Data Protection Directive<br />
The law that most significantly impacts the legality and<br />
92 Organization for Economic Cooperation and Development.<br />
93 Organization for Economic Cooperation and Development, Overview<br />
of the OECD.<br />
Version 2 – Summer 2008
<strong>Biometric</strong> <strong>Technology</strong> <strong>Application</strong> <strong>Manual</strong> Section 7 19<br />
scope of biometric usage in the EU is Directive 95/46/EC,<br />
also known as the Data Protection Directive, and sometimes<br />
referred to as the Privacy Directive. This legislation<br />
covers both the public and private sectors and closely<br />
follows the OECD Guidelines.<br />
The directive was passed almost a decade ago on October<br />
24, 1995 by the Parliament and Council in an effort<br />
to “remove the obstacles to the free movement of data<br />
without diminishing the protection of personal data” and<br />
took effect on October 25, 1998. The objective of the<br />
Data Protection Directive is to harmonize national laws of<br />
member states on processing personal data and protecting<br />
the rights and freedoms of the persons about whom<br />
data is concerned (“data subjects”). The importance of<br />
the Data Protection Directive cannot be understated with<br />
respect to the discussion of the use of biometric identifiers<br />
and biometric recognition technology in the EU and<br />
its member states.<br />
The Data Protection Directive mandates that member<br />
states respect specific rights and obligations in the following<br />
areas: data quality; legitimacy of the data processing;<br />
special categories of processing; information to<br />
be given to the data subject; the data subject’s right of<br />
access to the data; the data subject’s right to object to<br />
and/or correct the data processing; confidentiality and<br />
security of processing; establishment of a public data<br />
protection supervisory authority; notification of processing<br />
to the supervisory authority; and transfer of personal<br />
data to third countries.<br />
Data Quality<br />
• : Personal data must be: (1) processed<br />
fairly and lawfully; be collected for specified, explicit,<br />
and legitimate purposes; (2) adequate, relevant, and<br />
not excessive in relation to the purposes for which<br />
Version 2 – Summer 2008
Section 7 20 <strong>Biometric</strong> Social and Cultural Implications<br />
they are collected; (3) accurate; and (4) kept in a form<br />
which permits identification of data subjects for no<br />
longer than is necessary.<br />
• Legitimacy of Data Processing:<br />
Personal data may<br />
be processed only if (1) the data subject has unambiguously<br />
given his/her consent; or (2) the processing<br />
is necessary either (a) for the performance of a<br />
contract to which the data subject is a party; (b) for<br />
compliance with the data controller’s legal obligation;<br />
(c) to protect the vital interests of the data subject;<br />
(d) for the performance of a task carried out in<br />
the public interest; (e) for the purposes of the legitimate<br />
interests pursued by the controller or by the<br />
third parties to whom the data is disclosed, except<br />
where such interests are overridden by the “fundamental<br />
rights” of the data subject.<br />
Prohibition on Processing of Sensitive Data<br />
• : The<br />
processing of personal data revealing racial or ethnic<br />
origin, political opinions, religious or philosophical<br />
beliefs, or trade-union membership, and the<br />
processing of data concerning health or sex life, are<br />
strictly prohibited. An exception is permitted if the<br />
data subject gives explicit consent, or if it is necessary<br />
to protect the vital interests of the data subject<br />
in the event that the data subject is incapable of giving<br />
consent. There are several other limited exceptions,<br />
such as where the processing of such data is<br />
necessary in the performance of obligations mandated<br />
by employment law. Subject to the provision<br />
of “suitable safeguards” and notification to the Commission,<br />
the member state may provide additional<br />
exemptions for reasons of public interest. If the processing<br />
of the data relates to offences, criminal convictions,<br />
or security measures, it may be carried out<br />
Version 2 – Summer 2008
<strong>Biometric</strong> <strong>Technology</strong> <strong>Application</strong> <strong>Manual</strong> Section 7 21<br />
only under the control of official authority. Member<br />
states must determine the conditions under which<br />
a national identification number or any other identifier<br />
of general application may be processed. This<br />
prohibition could potentially impact the processing<br />
of biometric data, particularly if such data reveals the<br />
data subject’s race or ethnic background. For example,<br />
a facial image, which is essentially a digital photograph,<br />
can presumably reveal a person’s race, and<br />
possibly even ethnic background, to anyone observing<br />
the image.<br />
• Information to be Given to the Data Subject:<br />
Whenever<br />
personal data is collected, recorded, or disclosed<br />
to a third party, the data subject must be provided<br />
with information as to the identity of the data controller<br />
and the purpose of the processing for which<br />
the data are intended. Additionally, insofar as it may<br />
be necessary under the circumstances and with regard<br />
to fairness to the data subject, further information<br />
may be required to be given, such as the categories<br />
of data concerned, the recipient or categories of<br />
recipients of the data, whether giving the information<br />
is voluntary or involuntary, and the existence<br />
of the data subject’s right to access and correct the<br />
data.<br />
The Data Subject’s Right of Access to Data<br />
• : The data<br />
subject must have the right to obtain the following<br />
from the controller: (1) confirmation as to whether or<br />
not data relating to them is being processed; (2) the<br />
purpose of the processing; (3) the categories of data<br />
being processed; (4) the recipients of the data; (5) an<br />
intelligible form of the data; (6) information on the<br />
source of the data; (7) knowledge of the logic (i.e. the<br />
rationale) involved in any automatic processing of the<br />
Version 2 – Summer 2008
Section 7 22 <strong>Biometric</strong> Social and Cultural Implications<br />
•<br />
data; rectification (including erasure or blockage) of<br />
incomplete/inaccurate or unlawfully obtained data;<br />
and (8) notification to third parties to whom the data<br />
has been disclosed of any such rectification.<br />
Establishment of and Notification to Supervisory<br />
Authority: Each member state must appoint a public<br />
supervisory authority to monitor and enforce<br />
the application of the Directive. Subject to certain<br />
exceptions, data controllers or their representatives<br />
must notify the supervisory authority before carrying<br />
out “any wholly or partly automatic processing<br />
operation or set of operations intended to serve a<br />
single purpose or several related purposes.” There<br />
are specific requirements regarding the content of<br />
such notice, including notification of any proposed<br />
transfers of data to non-EU countries. In addition,<br />
the supervisory authority must maintain a public<br />
register of processing operations.<br />
Transfer of Personal Data to Non-EU Countries<br />
• :<br />
Subject to certain exceptions, transferring personal<br />
data to a non-EU country requires assurances of an<br />
adequate level of protection. “Adequacy” is to be assessed<br />
in light of all the circumstances surrounding<br />
a data transfer operation, giving particular consideration<br />
to the nature of the data, the purpose and<br />
duration, the country of origin and final destination,<br />
the non-EU country’s laws, and the professional rules<br />
and security measures which are in that country.<br />
The European Commission is empowered to determine<br />
whether or not a non-EU country ensures an<br />
adequate level of protection, in which case member<br />
states must comply with the Commission’s determination.<br />
If the Commission determines that the non-<br />
EU country does not have an adequate level of pro-<br />
Version 2 – Summer 2008
<strong>Biometric</strong> <strong>Technology</strong> <strong>Application</strong> <strong>Manual</strong> Section 7 23<br />
tection, the data cannot be transferred.<br />
The U.S. Department of Commerce, in consultation with<br />
the European Commission, developed the Safe Harbor<br />
Program to allow companies and organizations to certify<br />
that they maintain the necessary privacy protection standards<br />
as mandated by the Directive. 94<br />
The Safe Harbor Program provides U.S. and EU firms with<br />
numerous benefits. Listed below are some of the benefits<br />
for U.S. firms:<br />
1.<br />
2.<br />
3.<br />
All 27 Member States of the European Union will be<br />
bound by the European Commission’s finding of adequacy;<br />
Companies participating in the safe harbor will be<br />
deemed adequate and data flows to those companies<br />
will continue;<br />
Member State requirements for prior approval of<br />
data transfers either will be waived or approval will<br />
be automatically granted; and<br />
94 The U.S. Department of Commerce’s International Trade Administration,<br />
“Safe Harbor Privacy Principles Issued by the U.S. Department of<br />
Commerce on July 21, 2000,” http://www.export.gov/safeharbor/SH_<br />
Privacy.asp.<br />
Version 2 – Summer 2008
Section 7 24 <strong>Biometric</strong> Social and Cultural Implications<br />
4.<br />
Claims brought by European citizens against U.S.<br />
companies will be heard in the United States subject<br />
to limited exceptions. 95<br />
U.S. companies and organizations must agree to follow<br />
seven principles on data security and privacy as outlined<br />
in the Directive (See List 1 in appendix). More than 1500<br />
companies and organizations are Safe Harbor-certified.<br />
They must undergo a recertification annually by either<br />
performing a self-assessment of adherence to the seven<br />
principles on data security and privacy principles or hire<br />
a third party to perform the assessment.<br />
The Safe Harbor Program has received a fair amount of<br />
criticism for being a weak protector of privacy, because<br />
the program does not take into account state, national,<br />
and other international laws. Moreover, since the European<br />
Union passed a directive and not a regulation, for it<br />
to be effective, member states must implement national<br />
laws - causing delays and sometimes confusion and<br />
contradiction with existing laws and procedures. Wells,<br />
Courtney and Vogel explain that, while a U.S.-based corporation<br />
or entity without any assets in Europe would be<br />
safe simply relying on the Safe Harbor Principles, those<br />
that have assets inside of Europe will be subject to further<br />
national legislation, which could be stricter than the<br />
Directive. 27<br />
95 The U.S. Department of Commerce’s International Trade Administration,<br />
“Safe Harbor Overview,” http://www.export.gov/safeharbor/SH_<br />
Overview.asp.<br />
27 Steven A. Wells, Mark Courtney and Peter Vogel. “UnSafe Harbor: No<br />
Common Denominator in Privacy Compliance,” Computer Law Review<br />
& <strong>Technology</strong> Journal 9, no. 1 (2004), http://www.libraries.wvu.edu.<br />
Version 2 – Summer 2008
<strong>Biometric</strong> <strong>Technology</strong> <strong>Application</strong> <strong>Manual</strong> Section 7 25<br />
United Kingdom Data Protection Act<br />
In addition to following United States laws regarding<br />
the use and integration of biometric technologies into a<br />
public or private application, it is particularly important<br />
for any applications that may be cross-borders or cross-<br />
jurisdictions to consider the legal requirements outside<br />
of the United States. One such example is the UK Data<br />
Protection Act of 1998, which closely follows the EU Data<br />
Protection Act.<br />
All controllers of biometric data must adhere to the eight<br />
data protection principles. The obligations of controllers<br />
of biometric data are summarized below: 97<br />
1.<br />
Personal data shall be processed fairly and lawfully.<br />
In order for this principle to be met, the user must be<br />
told exactly why the data is being processed and the<br />
identity of the data controller. Generally speaking,<br />
the consent of each subject must also be obtained<br />
for processing (unless limited exemption applies).<br />
The EU data protection Working Party states that systems<br />
that collect data without the knowledge of their<br />
subjects (such as distance facial recognition systems)<br />
must be avoided. If the data is sensitive, then the requirements<br />
are even more stringent. In the majority<br />
of cases, the subject must be fully informed of all the<br />
relevant information and must explicitly give their<br />
consent. When sensitive data is concerned, implied<br />
consent will not suffice. The form of the consent will<br />
97 Knowing Me, Knowing You: <strong>Biometric</strong>s, the Security Industry, and the<br />
Law. Nick Mallet, Martineau Johnson. November 2004. www.martineau-johnson.co.uk.<br />
Used with permission.<br />
Version 2 – Summer 2008
Section 7 26 <strong>Biometric</strong> Social and Cultural Implications<br />
2.<br />
vary with the circumstances. For example, notices<br />
concerning the existence of CCTV cameras carry with<br />
them an implication of consent to being filmed and<br />
possibly recorded.<br />
Personal data shall be obtained only for specified<br />
and lawful purposes and shall not be processed<br />
in a manner incompatible with those purposes.<br />
This principle, which overlaps the first, concerns the<br />
obtaining and processing of information. It prohibits<br />
data controllers from further processing information<br />
that would otherwise be incompatible with the<br />
defined purpose(s) for which the data was collected.<br />
Data subjects/users must not be deceived or misled<br />
about the intended purpose of collection. For example,<br />
biometric data processed for access control purposes<br />
must not be used to assess the emotional state<br />
of the user or for surveillance in the workplace. All<br />
measures must be taken to prevent such incompatible<br />
re-use. It is thought that the centralized storage of<br />
biometric data increases the risk that databases could<br />
be linked together, thus leading to more detailed profiles<br />
of individuals. If this were to occur, then the ambit<br />
of the original purpose would be exceeded. The<br />
EU data protection Working Party recommends that<br />
biometric data remain with the person (user), for example,<br />
on a smart card, mobile phone, or bankcard.<br />
In addition, this principle imposes an obligation on<br />
those who disclose biometric data to a third party to<br />
impose contractual obligations on that third party to<br />
process the information only for purposes compatible<br />
with the data controller’s original specified purpose.<br />
Version 2 – Summer 2008
<strong>Biometric</strong> <strong>Technology</strong> <strong>Application</strong> <strong>Manual</strong> Section 7 27<br />
3.<br />
Personal data shall be adequate, relevant, and not<br />
excessive.<br />
The central idea of this principle is proportionality.<br />
The data controller should ask himself whether or not<br />
his intended purpose could be achieved in a less intrusive<br />
way taking into account the risks to the individual’s<br />
fundamental rights and freedoms. For example, in<br />
France the authorities refused to use childrens fingerprints<br />
for access to a school restaurant, but accepted<br />
the outline of the hand pattern for the same purpose.<br />
Data controllers will need to tailor each system to the<br />
specific requirements of the situation. A specific difficulty<br />
may arise as biometric data often contains more<br />
information than is necessary for its identification or<br />
verification functions, especially where raw data (such<br />
as an original image) is concerned. Data controllers<br />
should destroy unnecessary and irrelevant data as<br />
soon as possible and construct users’ references so as<br />
to preclude the processing of these data.<br />
Data protection authorities have suggested that biometric<br />
systems relating to physical characteristics<br />
that leave traces (e.g., fingerprints rather than hand<br />
shape) or those that store information in the control<br />
access device or a central database, may be excessive<br />
as they present more of a risk to the fundamental<br />
rights and freedoms of individuals. Therefore, it<br />
is recommended that biometrics be stored in an object<br />
exclusively available to the user such as a smart<br />
card, mobile phone, or bankcard. However, a central<br />
database will be required if the function of identification<br />
(“who am I?”) is to be carried out rather than<br />
the function of verification (“am I who I say I am?”). In<br />
these cases, particular care must be taken and safeguards<br />
put in place to preserve the individual’s rights<br />
Version 2 – Summer 2008
Section 7 28 <strong>Biometric</strong> Social and Cultural Implications<br />
4.<br />
5.<br />
and freedoms.<br />
Personal data shall be accurate and, where necessary,<br />
kept up to date.<br />
Data controllers are under an obligation to take reasonable<br />
steps to verify the accuracy of the data they<br />
obtain, but given the current state of technology,<br />
accuracy is still proving problematic for biometric<br />
systems to achieve. Indeed, most biometric systems<br />
have some flaws. For instance, it is estimated that<br />
five percent of people do not have readable fingerprints<br />
(either because of manual labor, hand cream,<br />
or genetic makeup, etc.).<br />
The problem is that such flaws could leave biometric<br />
systems open to challenge. The EU data protection<br />
Working Party emphasizes the importance of accuracy<br />
in biometric systems. Errors can have severe<br />
consequences, including the false rejection of those<br />
authorized and the false acceptance of those unauthorized.<br />
Faced which such “indisputable” evidence,<br />
individuals may find it impossible to prove the contrary.<br />
A viable option for data controllers is to employ<br />
a combination of measures or a multi-biometric system<br />
to achieve greater accuracy.<br />
Personal data shall be kept no longer than<br />
necessary.<br />
This principle overlaps with the third. It imposes<br />
an obligation on data controllers to keep personal<br />
data under constant review and delete all information<br />
that is no longer required for the purpose it was<br />
originally obtained. For example, it may be that a<br />
Version 2 – Summer 2008
<strong>Biometric</strong> <strong>Technology</strong> <strong>Application</strong> <strong>Manual</strong> Section 7 29<br />
6.<br />
7.<br />
particular threat to security is no longer present and<br />
therefore the data is no longer needed.<br />
Personal data shall be processed in accordance with<br />
the rights of the data subject/user.<br />
This principle will be breached when a data controller<br />
fails to comply with an individual’s justified request<br />
to cease processing his/her biometric data or<br />
fails to respond to any request within a reasonable<br />
amount of time.<br />
A breach will also occur if a data controller does not<br />
comply with any subject/user access request. In certain<br />
circumstances, data subjects have a right to make<br />
these requests about the information being pertaining<br />
to them. The requests must be in writing and the<br />
data controller can charge a fee for dealing with each<br />
one. The data controller should satisfy him/her-self<br />
as to the individual’s identity (so as to adhere to the<br />
seventh principle) and can ask for details as to the location<br />
of the data. Each request must be dealt with<br />
within a reasonable amount of time.<br />
Appropriate measures shall be taken to prevent unauthorized<br />
use or accidental loss of personal data.<br />
Maintaining the security of biometric data is fundamental<br />
to safeguarding the rights and freedoms of<br />
the individual. The dangers of failing to meet this obligation<br />
are severe. Were someone to have stolen his<br />
biometric identity, an individual could not change<br />
his genetic attributes as easily as he could change his<br />
computer password. This could cause irretrievable<br />
damage to the individual concerned and limit their<br />
Version 2 – Summer 2008
Section 7 30 <strong>Biometric</strong> Social and Cultural Implications<br />
8.<br />
freedom in future. Data controllers must therefore<br />
ensure that protective measures give a level of security<br />
that is appropriate to the harm that might result.<br />
Particular care is required when biometric data<br />
is transmitted over a network or the Internet. Security<br />
measures could include the encryption of users’<br />
references, the protection of encryption keys, and<br />
access control.<br />
However, the Data Protection Act accounts for the<br />
“state of technology” (and its cost) available to the<br />
data controller at the relevant time. It is advisable<br />
that the data controller monitor changes in technology<br />
to avoid inadvertently breaching the legislation<br />
by failing to upgrade security systems. The EU data<br />
protection Working Party advocates developing encryption<br />
keys based on biometric data. These would<br />
allow an individual’s biometric data to be decoded<br />
only on the basis of a new collection of biometric<br />
data from the data subject herself/himself.<br />
The seventh principle also imposes an obligation on<br />
the data controller to ensure, as reasonably possible<br />
in the circumstances, the reliability of all employees<br />
who have access to personal data. Given the greater<br />
importance of biometric data, this obligation is likely<br />
to be more stringent, with a greater degree of training<br />
required for employees.<br />
Personal data shall not be transferred outside the<br />
EU unless that country ensures an adequate level of<br />
protection.<br />
This principle is particularly relevant for multi-<br />
national companies with offices and staff in different<br />
countries. For example, Microsoft was fined by<br />
Version 2 – Summer 2008
<strong>Biometric</strong> <strong>Technology</strong> <strong>Application</strong> <strong>Manual</strong> Section 7 31<br />
Spanish data protection authorities for sending details<br />
about its Spain-based staff to company headquarters<br />
in the United States. The United States did<br />
not have an adequate level of protection. If data/<br />
information must be transferred, a Transborder Data<br />
Flow Agreement should be put into place, containing<br />
appropriate contractual provisions to secure compliance<br />
with the other seven principles and adopting<br />
the EU Commission’s approved clauses.<br />
Trans-Border Data Flow<br />
The United States currently, as of this writing, does not<br />
have a comprehensive personal data protection law<br />
(PDPL). Consequently, it is not considered to be a country<br />
having a law that offers “equivalent protection” of<br />
personal data. Unless other measures are taken, the<br />
transmission of personal data to the United States for automatic<br />
processing may be prohibited by the PDPLs of<br />
some countries, even if registration is not necessary under<br />
the relevant PDPLs to conduct identical data processing<br />
functions within those countries.<br />
In some cases, obtaining permission of the data subjects/users<br />
is sufficient to permit an otherwise impermissible<br />
trans-border data flow to occur. However, in some<br />
countries such as Switzerland, the duty to avoid sending<br />
personal data to a recipient without having “equivalent<br />
protection” in place is absolute, and even obtaining individuals’<br />
consent is not sufficient. 98<br />
In order to provide “equivalent protection” when<br />
Version 2 – Summer 2008
Section 7 32 <strong>Biometric</strong> Social and Cultural Implications<br />
personal data is to be transmitted to the United States,<br />
the sender may have to enter into a written agreement<br />
with the United States recipient, whereby the recipient<br />
affirmatively agrees to abide by data processing<br />
standards comparable to those required by CoE No. 108. 99<br />
Formal adoption of written data protection policies and<br />
implementation of additional security measures may<br />
also be necessary. In those countries where obtaining<br />
consent is sufficient, obtaining the consent of all affected<br />
customers may be the only way to provide a basis for a<br />
trans-border data transfer to the United States, which<br />
would otherwise be impermissible.<br />
CoE No. 108<br />
Under personal data protection laws, the gathering, storage,<br />
processing, and transmission of personal data is<br />
subject to certain rules that CoE No. 108 made universal,<br />
including:<br />
•<br />
•<br />
The data must be collected in a “fair” manner (i.e., not<br />
through deceptive or illegal means).<br />
The data can only be used for the purpose for which<br />
it was collected and only for the time reasonably<br />
necessary.<br />
98 Foreign Laws Affecting Data Processing and Transborder Data Flows.<br />
Paul H. Silhan.<br />
99 CoE No. 108. Council of Europe. Directive that established minimum<br />
standards for personal data protection. Signatory countries agreed to<br />
implement this through domestic legislation and enunciates certain<br />
rights individuals have with regard to their personal data.<br />
Version 2 – Summer 2008
<strong>Biometric</strong> <strong>Technology</strong> <strong>Application</strong> <strong>Manual</strong> Section 7 33<br />
•<br />
•<br />
•<br />
•<br />
Persons are entitled to receive a report, on request,<br />
on what data has been collected by a particular company<br />
or government agency about them.<br />
One’s personal data cannot be disclosed to third parties<br />
unless authorized by statute or the individual has<br />
given consent (although the consent can sometimes<br />
be implied).<br />
Persons have the right to make corrections to their<br />
personal data and, in some cases, to have deleted or<br />
disputed data flagged as such.<br />
The transmission of personal data to locations where<br />
“equivalent protection” of personal data cannot be<br />
assured is prohibited.<br />
Data Protection Authority<br />
In several countries, including the United Kingdom, many<br />
forms of personal data processing must be registered<br />
with a data protection authority unless an exemption is<br />
available or the individual has given consent to use and<br />
process his/her personal data in a manner that otherwise<br />
would be prohibited by the data protection laws.<br />
Registration typically involves filing information about<br />
the data processing operation, such as what types of data<br />
are being collected and processed, what types of security<br />
are in place, who has access to the data, and where the<br />
data is being transmitted. Failure to register, if required,<br />
subjects the company to fines and, in some countries<br />
Version 2 – Summer 2008
Section 7 34 <strong>Biometric</strong> Social and Cultural Implications<br />
such as Germany, to possible jail sentences. 100<br />
Summary<br />
<strong>Biometric</strong> technology is legally neutral. How it is used (or<br />
more accurately misused) can raise questions of legality<br />
and a possible determination of whether such use meets<br />
all of the stipulations and prohibitions relative to that usage.<br />
Similarly, biometric technology is not an intrinsic<br />
threat to privacy or civil liberties and claims to the contrary<br />
are not helpful in finding the appropriate niche for<br />
promoting in identity assurance. Beyond the issue of “anonymity,”<br />
biometrics issues are left to rely on standards of<br />
reasonableness and common sense when specific usage<br />
is not addressed by the law. This is not a position to be<br />
taken lightly and the biometric community and owner/<br />
operators have a fundamental obligation to integrate<br />
the technology with minimal negative impact on the using<br />
population in their society.<br />
Ultimately, issues regarding usage alternatives and propriety<br />
will be resolved in individual case law or by antiabuse<br />
legislation at the national level. In any event, and<br />
until a more comprehensive resolution is available, compliance<br />
with the rules that are in place and a liberal interpretation<br />
of the “reasonable and common sense” dictum,<br />
is appropriate for all participants in the biometric community.<br />
100 Foreign Laws Affecting Data Processing and Transborder Data Flows.<br />
Paul H. Silhan.<br />
Version 2 – Summer 2008
<strong>Biometric</strong> <strong>Technology</strong> <strong>Application</strong> <strong>Manual</strong> Section 7 35<br />
Section 7, Part II: Societal Issues—Privacy<br />
Considerations<br />
The right of the people to be secure in their persons, houses,<br />
papers, and effects, against unreasonable searches and<br />
seizures, shall not be violated. 101<br />
Privacy advocates claim that taking biometric data from<br />
an individual without the express consent of that individual<br />
is a violation of the Fourth Amendment to the U.S.<br />
Constitution. While this matter has not been settled in the<br />
courts, it seems reasonable to presume that future privacy<br />
rulings will fall under laws associated with searches<br />
and seizures, and, therefore, the Fourth Amendment.<br />
During the past 35 years, the United States Congress<br />
has enacted some privacy laws that detail the manner in<br />
which an agency of the federal government must maintain<br />
records that it collects on its citizens.<br />
The Federal Privacy Act of 1974, which covers federal<br />
government agencies only and not private individuals or<br />
industry, or state and local government agencies, defines<br />
“record” as:<br />
“...any item, collection, or grouping of information<br />
about an individual that is maintained by an agency,<br />
including, but not limited to, his education, financial<br />
transactions, medical history, and criminal or employment<br />
history and that contains his name, or the identifying<br />
number, symbol, or other identifying particular<br />
assigned to the individual, such as a finger or voice<br />
print or photograph.”<br />
101 The United States Constitution. 1791.<br />
Version 2 – Summer 2008
Section 7 36 <strong>Biometric</strong> Social and Cultural Implications<br />
There remains vast disagreement among the courts as<br />
to how broadly to interpret the Privacy Act’s definition of<br />
“record.” Accordingly, an examination of the holdings of<br />
the lower courts is critical, though not definitive. For example,<br />
the Second and Third Circuits have both applied<br />
a broad interpretation of the term “records.” Conversely,<br />
the Ninth and Eleventh Circuits have adopted narrow<br />
constructions of the term “records,” thereby limiting the<br />
Privacy Act to cover personal information maintained by<br />
the government.<br />
More recently, the Fifth Circuit issued a decision where<br />
interpretation of the term “record” was a key issue. In Jacobs<br />
v. National Drug Intelligence Center, the Fifth Circuit<br />
Court of Appeals adopted a broad interpretation of the<br />
term “record” by looking at the legislative history, which<br />
the court believes supports a broader interpretation than<br />
the one advanced by the National Drug Intelligence Center.<br />
At issue was whether information about Jacobs that<br />
was contained in an executive summary of an internal report<br />
leaked by the National Drug Intelligence Center was<br />
a record. The court held that the executive summary was<br />
a record constituting a violation of the Privacy Act. 102<br />
According to the OMB’s guidelines, even publicly available<br />
information, such as newspaper clippings or press<br />
releases, can constitute a “record.” 103 Several courts, in-<br />
102 Jacobs v. National Drug Intelligence Center, 423 F. 3rd 512 (5th Cir.<br />
2005)<br />
103 See OMB Guidelines, 40 Fed. Reg. 56, 741, 56, 742 (1975) (“[c]<br />
ollections of newspaper clippings or other published matter about an<br />
individual maintained other than in a conventional reference library<br />
would normally be a system of records”).<br />
Version 2 – Summer 2008
<strong>Biometric</strong> <strong>Technology</strong> <strong>Application</strong> <strong>Manual</strong> Section 7 37<br />
cluding the Eleventh Circuit Court of Appeals, have agreed<br />
with this interpretation. 104 Under such an interpretation, a<br />
biometric would constitute a record subject to the Privacy<br />
Act even if it were construed as publicly available information,<br />
since biometrics are certainly no more public than<br />
published information.<br />
It should be noted that many biometric “records” are often<br />
one-way encrypted digitized representations that<br />
reveal nothing about the person. As such, they may be<br />
less likely to be deemed “records” under the Privacy Act.<br />
In iris identification, for example, there is no need to have<br />
any personal information maintained in the database. All<br />
that is needed is the encrypted template for the access<br />
control system to function. Thus, to fall under the Privacy<br />
Act, such encrypted template (separate from the biometric)<br />
would itself have to be deemed a record. Because the<br />
encrypted template cannot be traced to the person from<br />
whom it was taken, it is highly questionable whether an<br />
encrypted template is a record if there is no other personally<br />
identifying information or other personal information<br />
attached to it.<br />
The Act prohibits an agency of the U.S. Government from<br />
providing citizen records to a third party without the individual’s<br />
consent, allows a person to correct erroneous information<br />
about him/her, and legislates that all information<br />
about an individual must be made available to that<br />
individual. Under the law, federal agencies are allowed to<br />
request an exemption, if they are involved in law enforce-<br />
104 See Clarkson v. IRS, 678 F.2d 1368, 1372 (11th Cir. 1982) (permitting<br />
challenge to agency’s maintenance of newletters and press releases);<br />
Murphy v. NSA, 2 Gov’t Disclosure Serv. (P-H) paragraph 81, 389, at 82,<br />
036-37 (D.D.C. Sept. 29, 1981) (permitting challenge to agency’s maintenance<br />
of newspaper clippings).<br />
Version 2 – Summer 2008
Section 7 38 <strong>Biometric</strong> Social and Cultural Implications<br />
ment or national security defense, generally. The Central<br />
Intelligence Agency, for example, is expressly exempt<br />
from the law. 105<br />
In August 2007, the Department of Homeland Security<br />
(DHS) requested an exemption from the law for its Arrival<br />
and Departure Information System (ADIS). 106 ADIS is a<br />
way of compiling data on aliens 107 flying into the United<br />
States who could be national security threats. DHS then<br />
shares the information with law enforcement, immigration<br />
controllers, intelligence officers and other concerned<br />
constituencies. 108 ADIS stores biographic, biometric indicator<br />
and encounter data on aliens who have applied<br />
for entry, entered or departed the Unites States. Primarily<br />
and specifically, the system was developed to investigate<br />
individuals who might have violated their immigration<br />
status by staying in the United States longer than authorized.<br />
109 ADIS will supplement the Passenger Name Record<br />
Program (PNRP), a privately developed partnership<br />
between airlines to track and screen their passengers.<br />
The International Air Transport Association, an interna-<br />
105 See Clarkson v. IRS, 678 F.2d 1368, 1372 (11th Cir. 1982) (permitting<br />
challenge to agency’s maintenance of newletters and press releases);<br />
Murphy v. NSA, 2 Gov’t Disclosure Serv. (P-H) paragraph 81, 389, at 82,<br />
036-37 (D.D.C. Sept. 29, 1981) (permitting challenge to agency’s maintenance<br />
of newspaper clippings).<br />
106 U.S. Government Printing Office, “Privacy Act of 1974: Implementation<br />
of Exemptions,” http://edocket.access.gpo.gov/2007/E7-16461.htm.<br />
107 An “alien” is defined by the Immigration and Nationality Act as<br />
anyone who is not a citizen or national of the United States. 8 U.S.C.<br />
1101 (a)(3).<br />
108 U.S. Department of Homeland Security, “Privacy Impact Assessment<br />
for the Arrival and Departure Information System (ADIS): August<br />
1, 2007,” http://www.dhs.gov/xlibrary/assets/privacy/privacy_pia_<br />
usvisit_adis_2007.pdf.<br />
109 Ibid.<br />
Version 2 – Summer 2008
<strong>Biometric</strong> <strong>Technology</strong> <strong>Application</strong> <strong>Manual</strong> Section 7 39<br />
tional trade group of airlines, standardized what information<br />
would be collected and the layout of PNRP. On<br />
May 28, 2004, an international agreement was signed between<br />
the United States and European Union concerning<br />
PNRP and the usage of the information. PNRP is shared<br />
between the United States and EU, if privacy practices are<br />
upheld - specifically Directive 95/46/EC of the EU, 110 commonly<br />
known as the Data Protection Directive, and the<br />
Organisation for Economic Co-operation and Development<br />
Guidelines on the Protection of Privacy and Transborder<br />
Flows of personal Data. 111<br />
In July 2007, the U.S. Department of Homeland Security<br />
and the European Union entered into an agreement concerning<br />
the transfer and sharing of PNRP data. Under the<br />
terms of the agreement, DHS agreed to certain undisclosed<br />
privacy assurances but at least adhering to the EU<br />
Data Protection Directive and the OECD Guidelines. In return,<br />
the EU will ensure that air carriers operating flights<br />
to the United States will make their PNRP data available<br />
to DHS. 112<br />
110 Officcial Journal of the Eurpoean Communitities, “Directive 95/46/<br />
EC of the Eurpoean Parliament and of the Council of 24 October<br />
1995,” http://ec.europa.eu/justice_home/fsj/privacy/docs/95-46-ce/<br />
dir1995-46_part1_en.pdf..<br />
111 OECD Directorate for Science, <strong>Technology</strong> and Industry, “OECD<br />
Guidelines on the Protection of Privacy and Transborder Flows of Personal<br />
Data,” http://www.oecd.org/document/18/0,3343,en_2649_3425<br />
5_1815186_1_1_1_1,00.html.<br />
112 U.S. Department of Homeland Security, “Agreement Between the<br />
United States of America and the European Union on the Processing<br />
and Transfer of Passenger Name Record (PNR) Data by Air Carriers to the<br />
United States Department of Homeland Security (DHS),” http://www.<br />
dhs.gov/xlibrary/assets/pnr-2007agreement-usversion.pdf.<br />
Version 2 – Summer 2008
Section 7 40 <strong>Biometric</strong> Social and Cultural Implications<br />
The Health Insurance Portability and Accountability<br />
Act (HIPAA) of 1996 laid the groundwork for the privacy<br />
of health records. Although lacking in specific details,<br />
HIPAA mandates the development of standards for the<br />
exchange and release of patient health records.<br />
For the most part, the job of ensuring the confidentiality<br />
and integrity of personal data in the commercial marketplace<br />
is left to each state.<br />
A complete summary of state privacy laws is beyond the<br />
scope of this publication. However, they can be found<br />
at the Electronic Privacy Information Center web site at<br />
www.epic.org/privacy/consumer/states.html.<br />
EU Data Protection Directive<br />
The European Union Data Protection Directive (also<br />
known as the EU Privacy Directive) provides comprehensive<br />
privacy protection for personal information applicable<br />
to all 27 EU member states. The Directive’s definition<br />
of personal data includes biometric identification<br />
records, and applies to American organizations handling<br />
data in the EU.<br />
Under the Directive, personal data is defined as any information<br />
relating to an identified or identifiable natural<br />
person. An identifiable person is one who can be identified,<br />
directly or indirectly, in particular reference to an<br />
identification number or to one or more factors specific<br />
to his/her physical, biological, mental, economic, cultural,<br />
or social identity.<br />
While the term “biometric” is not specifically cited in the<br />
text, biometric identification records will likely be im-<br />
Version 2 – Summer 2008
<strong>Biometric</strong> <strong>Technology</strong> <strong>Application</strong> <strong>Manual</strong> Section 7 41<br />
plicated by the Directive’s definition of personal data.<br />
Meaning, biometric vendors, systems integrators, and<br />
any organization using or planning to use biometrics in<br />
the EU should understand this Directive and comply with<br />
its terms.<br />
American business should closely examine this Directive.<br />
Under the terms, all EU member states as well as any nonmember<br />
state doing business in the EU are required to<br />
follow “minimum standards” with respect to safeguarding<br />
personal data. Specifically, Article 25 of the EU Data<br />
Protection Directive forbids any transfer of personal data<br />
from the EU to countries that do not guarantee or do not<br />
have in place adequate safeguards for such data. For the<br />
United States, where privacy laws may not conform to<br />
the EU’s policies, the Directive poses obstacles since U. S.<br />
companies may be denied access to the EU market or be<br />
subjected to penalties for failing to protect the privacy<br />
of EU citizens. The European Commission is empowered<br />
to determine whether or not a non-EU country ensures<br />
an adequate level of protection.<br />
The Data Protection Directive bars the transfer of data<br />
to non-EU countries without similar data protections in<br />
place. The European Commission maintains a so-called<br />
“white list” of countries that it believes have laws that adequately<br />
protect data privacy. The United States’ exclusion<br />
from this list has had a substantial impact on the free<br />
flow of information containing personal data from the EU<br />
to the United States.<br />
On a business level, member countries have an affirmative<br />
duty to make sure that any company in the United<br />
States ensures an adequate level of protection before the<br />
member state may transfer personal data to the non-EU<br />
country.<br />
Version 2 – Summer 2008
Section 7 42 <strong>Biometric</strong> Social and Cultural Implications<br />
On a national security level, the EU has also been quite<br />
successful in hindering certain United States’ plans to<br />
implement programs that would require the use of personal<br />
data (including biometrics) from EU citizens and<br />
has essentially compelled the United States to agree to<br />
provide specific protections before certain types of data<br />
transfers have been permitted.<br />
<strong>Biometric</strong>s and Privacy<br />
The role or impact that biometrics plays with regard to<br />
personal privacy is substantially determined by the scope<br />
and definition individuals give to the term “privacy.” Not<br />
surprisingly, that definition differs widely. To those who<br />
consider “privacy” as equivalent to “anonymity,” there is<br />
probably little ground for compromise. For those who<br />
believe that any meaningful information about our person,<br />
held by others, is an intrusion if not an invasion of<br />
our privacy, that concern is acknowledgable and the<br />
threat can be minimized. Informal evidence and public<br />
sampling suggests that the mainstream view of the issue<br />
is more balanced in that there is recognition of possible<br />
impact, but acceptance of the technology is greater than<br />
the threat of personal intrusion. Before examining that<br />
balance, “privacy” must be better defined.<br />
A Working Definition of Privacy<br />
The word “privacy” is difficult to define as it has varying<br />
meanings depending on culture, environment, and a<br />
given situation. Stated simply, “Privacy is the interest that<br />
Version 2 – Summer 2008
<strong>Biometric</strong> <strong>Technology</strong> <strong>Application</strong> <strong>Manual</strong> Section 7 43<br />
individuals have in sustaining a ‘personal space’ free from<br />
interference by other people and organizations.” 113<br />
“Privacy”, however, is a far more complex issue with several<br />
dimensions, 114 including:<br />
• Privacy of the person:<br />
Sometimes referred to as<br />
“bodily privacy.” This is concerned with the integrity<br />
of the individual’s body. Issues include compulsory<br />
immunization, blood transfusion without consent,<br />
and compulsory provision of samples of body fluids<br />
and body tissue.<br />
• Privacy of personal behavior:<br />
This relates to all aspects<br />
of behavior but particularly to sensitive matters<br />
such as political activities and religious practices, in<br />
both private and public situations. It includes what is<br />
sometimes referred to as “media privacy.”<br />
• Privacy of personal communications:<br />
Individuals<br />
claim an interest in being able to communicate<br />
amongst themselves, using various media, without<br />
routine monitoring of their communications by<br />
other persons or organizations. This includes what is<br />
sometimes referred to as “interception privacy.”<br />
• Privacy of personal data:<br />
Individuals claim that<br />
data about themselves should not be automatically<br />
available to other individuals and organizations and,<br />
where data is possessed by another party, the individual<br />
must be able to exercise a substantial degree<br />
113 As defined by Roger Clarke. Introduction to Dataveillance and Infor-<br />
mation Privacy. Used with permission.<br />
114 As defined by Roger Clarke. Introduction to Dataveillance and Infor-<br />
mation Privacy. Used with permission.<br />
Version 2 – Summer 2008
Section 7 44 <strong>Biometric</strong> Social and Cultural Implications<br />
of control over that data and its use. This is sometimes<br />
referred to as “data privacy” and/or “information<br />
privacy.”<br />
From the standpoint of biometrics, privacy includes an<br />
aspect of autonomy (not anonymity), that is, control of<br />
information about one’s self and control over our personal<br />
identity. Control over “information about ourselves”<br />
is central to the discussions about information<br />
privacy, for example. People have a vested interest in<br />
determining how, when, why, and to whom information<br />
about themselves, in the form of a biometric identifier,<br />
can or would be disclosed. 115<br />
An important implication of the definition of privacy is<br />
that it needs to be balanced against other, competing<br />
forces. For example: 116<br />
•<br />
•<br />
•<br />
The privacy interest of one person or group of people<br />
may conflict with some other interest of their own,<br />
and the two may have to be traded off (e.g., access<br />
to credit or quality of healthcare)<br />
The privacy interest of one person or group of<br />
people may conflict with the privacy interests of<br />
another person or group of people (e.g., healthcare<br />
information that is relevant to multiple members of<br />
a family)<br />
The privacy interest of one person or group of people<br />
may conflict with other interests of another person,<br />
115 From <strong>Biometric</strong>s: Identity Assurance in the Information Age. John D.<br />
Woodward, Jr. McGraw-Hill. 2003. Pg. 215. Used with permission.<br />
116 As defined by Roger Clarke. Introduction to Dataveillance and<br />
Information Privacy. Used with permission.<br />
Version 2 – Summer 2008
<strong>Biometric</strong> <strong>Technology</strong> <strong>Application</strong> <strong>Manual</strong> Section 7 45<br />
group of people, organization, or society as a whole<br />
(e.g., creditors, an insurer, and protection of the public<br />
against serious disease)<br />
Privacy protection is a process of finding appropriate<br />
balance between privacy and multiple competing<br />
interests.<br />
When considering a biometric-based identification system<br />
for any use—public, private, large scale or small—<br />
and balancing privacy and confidentiality of data, the<br />
issue is not so much the use of a biometric, or which<br />
biometric is being used, but how the back-end data is<br />
coordinated and what decisions are made as a result of<br />
checking against this data. 117<br />
If the biometric-based application is in the public sector,<br />
there is a responsibility to ensure that any such system<br />
is implemented in an ethical manner with full attention<br />
given to areas such as data protection and privacy.<br />
One of the biggest fears about biometrics is that personal<br />
information collected in connection with or for purposes<br />
of biometric identification will be used for reasons other<br />
than the original intent. This concern is often referred to<br />
as “function creep” or “mission creep.” A classic example of<br />
function creep are Social Security numbers in the United<br />
States, which were created for the sole purpose of administrating<br />
Social Security benefits, but are now used as the<br />
de facto numeric identities for Americans (although, as<br />
of this writing, new government regulations are requir-<br />
117 From Practical <strong>Biometric</strong>s: From Aspiration to Implementation. Julian<br />
Ashbourn. Springer-Verlag. 2004 Pg. 4. Used with permission.<br />
Version 2 – Summer 2008
Section 7 46 <strong>Biometric</strong> Social and Cultural Implications<br />
ing companies, such as health insurance carriers, to use<br />
personal identifiers other than social security numbers to<br />
identify their insured).<br />
If there is no database and biometrics are used simply to<br />
verify an individual’s identity in situations where verification<br />
of identity is permissible, there are no legal issues.<br />
Further, biometrics may be used to identify a person (i.e.,<br />
using a central database) in circumstances where the<br />
public has a justifiable need to know who a person is and<br />
whether that person poses a threat. A number of United<br />
States government privacy initiatives have been implemented<br />
to address such situations. These include, but<br />
are not limited to, National Security Directive 59/Homeland<br />
Security Presidential Directive 24, the US Visit Program,<br />
the Homeland Security Presidential Directive-12<br />
(HSPD-12), the Registered Traveler (RT) Program and the<br />
Real ID Act.<br />
National Security Presidential Directive 59/<br />
Homeland Security Presidential Directive 24<br />
NSPD 59/HSPD 24 are the first presidential directives to<br />
deal exclusively with biometrics - more specifically, their<br />
application to identification and screening to enhance<br />
national security. The purpose of the framework is to<br />
“ensure that Federal executive department agencies...<br />
use [interoperable] methods and procedures in the collection,<br />
storage, use, analysis, and sharing on biometric<br />
and associated biographic and contextual information of<br />
individuals... 118 <strong>Biometric</strong>s will be used by various federal<br />
118 The White House Office of the Press Secretary, “National Security Presidential<br />
Directive and Homeland Security Presidential Directive, “ http://<br />
www.whitehouse.gov/new/releases/2008/06/20080605-8.htm.l.<br />
Version 2 – Summer 2008
<strong>Biometric</strong> <strong>Technology</strong> <strong>Application</strong> <strong>Manual</strong> Section 7 47<br />
agencies to screen for “known and suspected terrorists<br />
(KSTs)” - with the information on those individuals being<br />
collected, stored, and shared to prevent terrorist acts.<br />
The directive also promotes greater inter-agency flow<br />
of biometric information by requiring agencies to “make<br />
available to other agencies all biometric and associated<br />
biographic and contextual information associated with<br />
persons for whom there is an articulated and reasonable<br />
basis for suspicion that they pose a threat to national<br />
security.” The sharing, though, must respect applicable<br />
confidentiality and privacy laws. These new policies are<br />
to be implemented by the assistant to the president for<br />
Homeland Security and Counter-terrorism, the assistant<br />
to the president for National Security Affairs and the Director<br />
of the Office of Science and <strong>Technology</strong>. 119<br />
US-Visit Program<br />
The program is the culmination and implementation of<br />
a number of different legislative acts intending to ensure<br />
the accurate tracking of foreign nationals entering and<br />
exiting the United States. 120 The program was originally<br />
limited to holders of certain non-immigrant visas and<br />
was soon expanded to include many non-visa countries,<br />
119 Ibid.<br />
120 For a complete recitation of the background and the planned<br />
implementation of US-VISIT see Federal Register/Vol. 69, No. 2,<br />
Implementation of the United States Visitor and Immigrant Status<br />
Indicator <strong>Technology</strong> Program (“US-VISIT”); <strong>Biometric</strong> Requirements;<br />
Notice to Nonimmigrant Aliens Subject To Be Enrolled in the United<br />
States Visitor and Immigrant Status Indicator <strong>Technology</strong> System;<br />
Interim Final Rule and Notice.<br />
Version 2 – Summer 2008
Section 7 48 <strong>Biometric</strong> Social and Cultural Implications<br />
including Canada and the United Kingdom. US-VISIT has<br />
since been further expanded to cover virtually all visitors<br />
holding non-immigrant visas, regardless of country of<br />
origin (with limited exemptions, for certain visa holders<br />
including, most Canadians, some Mexicans, and people<br />
under the age of 14 or over the age of 79). 121 This will<br />
include millions of permanent residents and green card<br />
holders, who will be required to be fingerprinted and<br />
photographed upon re-entering the United States by<br />
air or sea. Foreign nationals covered under the program<br />
who refuse to give the requested biometric information<br />
upon entry may be deemed inadmissible to the United<br />
States for failure to provide the required documentation.<br />
The 9/11 Commission recommended that the US-VISIT<br />
program be expanded to include exit data as well as entry<br />
data, and, more importantly, that Americans not be<br />
exempt from the program. The Department of Homeland<br />
Security began testing exit procedures at several<br />
airports around the country, 122 but, as of May 6, 2007,<br />
ended this practice. 124 On May 21, 2008, the US-VISIT Program<br />
issued a “request for Information/Sources Sought”<br />
to conduct market research. The United States government<br />
issued this request to identify potential solutions,<br />
service providers, and suppliers interested in participating<br />
in the design and development of a biometric land<br />
exit solution. 124<br />
121 http:www.dhs.gov/xtrvlsec/programs/content_multi_image_00006.<br />
shtm.<br />
122 http://www.dhs.gov/xtrvlsec/programs/editorial_0525.shtm.<br />
123 Id.<br />
124 http://www.fbo.gov/index?tab=core&s=opportunity&mode=form&<br />
id=833c071bbc5913a9d93742f903ab7da0&cck=1&au=&ck=.<br />
Version 2 – Summer 2008
<strong>Biometric</strong> <strong>Technology</strong> <strong>Application</strong> <strong>Manual</strong> Section 7 49<br />
Homeland Security Presidential Directive-12<br />
HSPD-12 promulgated a program designed to create a<br />
single standard for identification for all federal government<br />
employees and contractors by use of a “smart card”.<br />
These smart cards will allow for identification with photographic<br />
images printed on the card then include biometric<br />
data, PINs, and other electronic credentials (such<br />
as digital certificates) stored on the card. The overall goal<br />
of HSPD-12 is to increase security, reduce identity fraud,<br />
protect the personal privacy of the cardholder, and generally<br />
achieve appropriate security assurance by verifying<br />
the identity of individuals seeking physical access to government<br />
facilities and electronic access to government<br />
information systems. 125 HSPD-12 initially required agencies,<br />
at a minimum, to issue standards-compliant personal<br />
identity verification (PIV) cards to all new employees<br />
and contractors by October 27, 2006. This date has been<br />
extended to October 2008.<br />
The Registered Traveler Program<br />
The RT Program currently being deployed by the Transportation<br />
Security Administration (TSA) in conjunction<br />
with private industry is intended to provide expedited<br />
security screening for select airline passengers who voluntarily<br />
submit certain biometric and biographical information<br />
to a TSA-approved vendor, successfully complete<br />
a security threat assessment, and pay an enrollment<br />
125 http://www.osec.doc.gov/osy/HSPD12/HSPD-12Information.htm.<br />
Version 2 – Summer 2008
Section 7 50 <strong>Biometric</strong> Social and Cultural Implications<br />
fee. 126 Only United States citizens, United States nationals,<br />
and lawful permanent residents are eligible to participate,<br />
and all participants must be over the age of 12. 127<br />
Under this program, private companies, in conjunction<br />
with TSA, permit individuals to pay a “membership” fee<br />
and undergo a TSA-administered security threat assessment<br />
in advance, thus permitting members to experience<br />
curtailed security screening at airports. 128 Travelers<br />
who wish to participate in this program must submit fingerprints<br />
and iris images during the enrollment process<br />
and security threat assessment phase. Only portions of<br />
these biometric images are stored on the card so that the<br />
original image cannot be recreated from the information<br />
on the card. 129 130 The Registered Traveler Program offers<br />
dedicated lanes at certain airports to minimize waiting<br />
times for members. 131 The program is available to<br />
United States citizens, permanent resident aliens, and<br />
United States nationals. 132 Private companies administering<br />
programs include FLO (administered by The FLO<br />
126 Overview of the Registered Traveler Program from the TSA website:<br />
www.tsa.gov. TSA estimates that the enrollment fee will be around $30.<br />
However, private companies selling the services to the public are expected<br />
to charge more.<br />
127 From the Registered Traveler Program Model issued by TSA in May<br />
2006.<br />
128 http://www.tsa.gov/what_we_do/rt/rt-travelers.shtm.<br />
129 http://www.rtgocard.com/faq.htm#How_are_my_fingerprints_<br />
and_iris_image_biometrics_used.<br />
130 http://www.tsa.gov/assets/pdf/pia_tsa-rt_20060901.pdf.<br />
131 Id.<br />
132 http://www.tsa.gov/what-we-do/rt/rt-travelers.shtm.<br />
Version 2 – Summer 2008
<strong>Biometric</strong> <strong>Technology</strong> <strong>Application</strong> <strong>Manual</strong> Section 7 51<br />
Corporation ), 133 CLEAR (administered by Verified Identity<br />
Pass), 134 and RtGo (operated by Unisys Corporation). 135<br />
The annual fee for these programs ranges from $100 to<br />
$128 and includes a $28 fee charged by TSA.<br />
The Real ID Act<br />
The Real ID Act was signed into law on May 11, 2005, after<br />
passing through the Senate by a 100-0 vote. 136 The Real<br />
ID Act imposes certain federal requirements on state-issued<br />
driver’s licenses and identification cards. Immigration<br />
and civil liberties groups believe it is a prelude to a<br />
national identification card and are calling it an attack<br />
not only on privacy, but also on refugees and asylumseekers.<br />
Supporters, on the other hand, believe the Real<br />
ID Act will make United States borders safer. 137<br />
The fundamental purpose and operation of the Act has<br />
changed little since it passed, and state governments<br />
and departments of motor vehicles remain concerned<br />
over the logistics of implementing it. In September 2006,<br />
a report titled “The Real ID Act: National Impact Analysis”<br />
was issued by a coalition of state governors, state legislative<br />
groups, and representatives from the American As-<br />
133 http://www.flocard.com.<br />
134 http://www.flyclear.com.<br />
135 http://www.rtgocard.com.<br />
136 With respect the bill’s unanimous passage in the Senate, it should be<br />
noted that critics of the legislation point to the fact that it was attached<br />
to “must-pass” legislation for funding military action in Iraq.<br />
137 http://www.washingtontimes.com/upi-breaking/20050509-050110-<br />
3715r.htm.<br />
Version 2 – Summer 2008
Section 7 52 <strong>Biometric</strong> Social and Cultural Implications<br />
sociation of Motor Vehicle Administrators (the “Real ID<br />
Report”). The Real ID Report concludes that states have<br />
been given no real implementation guidelines and it<br />
projects that the cost of implementation will be around<br />
$11 billion, which is more than 100 times the $100 million<br />
Congress estimated when it passed the bill. The report<br />
breaks down the total cost by analyzing and estimating<br />
the cost of implementation of each of the Act’s requirements.<br />
the report recommends that Congress extend<br />
the deadline to give states more time to not only implement<br />
the new identification cards, but also to assess security<br />
safeguards. 138 After several prior extensions, states<br />
were supposed to be in full compliance with the Real ID<br />
Act by May 11, 2008. However, this deadline can be delayed<br />
until May 11, 2011 by timely filing requests for extensions.<br />
In the Final Rule on the Minimum Standards<br />
for Driver’s Licenses and Identification Cards Acceptable<br />
by Federal Agencies for Official Purposes, published in<br />
the Federal Register on January 29, 2008 and effective<br />
March 31, 2008, the Department of Homeland Security<br />
offered extensions in compliance to states as long as<br />
they apply by March 31, 2008. These extensions will terminate<br />
on December 31, 2009, unless the states apply<br />
for an additional extension by October 11, 2009. These<br />
additional extensions will terminate May 11, 2011. After<br />
that, federal facilities and agencies will no longer accept<br />
state driver’s licenses or identification cards that do not<br />
comply with the Real ID Act.<br />
138 A separate report issued by INPUT [INPUT is a company providing<br />
market information to help private companies procure government<br />
contracts and is sthe self-proclaimed “authority on government business.”]<br />
estimates the cost at only $2.5 billion, which is still significantly<br />
higher than Congress’s original estimate. See INPUT Press Release August<br />
30, 2006..<br />
Version 2 – Summer 2008
<strong>Biometric</strong> <strong>Technology</strong> <strong>Application</strong> <strong>Manual</strong> Section 7 53<br />
Generally, privacy issues are more likely to arise when<br />
identification is covert or when the biometric is attached<br />
to highly sensitive information, such as in the case of<br />
identifying people through DNA or linking a biometric<br />
to criminal, medical, or financial information. However,<br />
most of the activities where biometrics is expected to be<br />
used for national security are innocuous and would be<br />
done with the full knowledge and consent of the individual.<br />
For example, the identification of an airline passenger<br />
is no longer considered highly sensitive, especially<br />
considering that passengers are already required to<br />
identify themselves to airport personnel, and considering<br />
further that potentially hundreds of other lives could<br />
be at stake. Air travel safety is clearly an important public<br />
issue. Although under certain circumstances it is possible<br />
that such travel information when available to others<br />
could compromise someone’s need to travel secretly,<br />
such isolated and remote circumstances cannot justify<br />
compromising national security and can be dealt with by<br />
the individual.<br />
From a practical standpoint, public opinion or confidence<br />
in any system of identification assurance is important because<br />
without at least tacit acceptance and approval, operating<br />
success will suffer or fail. Therefore, it is important<br />
that issues of individual privacy be taken into account in<br />
any system that is employed regardless of whether the<br />
law requires it. Personal information related to biometric<br />
use should be sequestered or obscured, or made anonymous<br />
to the greatest extent possible. Databases should<br />
be used only when necessary and only relevant information<br />
should be kept in any database and disposed of<br />
when it is no longer needed. Individuals should be fully<br />
informed about the collection process, allowed access to<br />
their information, and have the ability to correct any errors.<br />
There must be oversight and strict controls and pro-<br />
Version 2 – Summer 2008
Section 7 54 <strong>Biometric</strong> Social and Cultural Implications<br />
cedures in place governing how the information is used<br />
and shared. Finally, there must be effective monitoring,<br />
enforcement, and consequences for abuses, misuses, or<br />
violations of the controls, policies, or procedures associated<br />
with use of the biometric system. Penalties should<br />
include fines, termination of employment, and in severe<br />
situations, prosecution under the law to help sustain<br />
public confidence and personal protection.<br />
One of the most critical aspects of biometric privacy protection<br />
is the issue of database management and security.<br />
Generally, separation and effective isolation of personal<br />
information databases from biometric template/<br />
reference information databases should be a design<br />
goal. To address this issue NBSP has developed a new<br />
concept for third party identity authentication in a virtually<br />
anonymous environment. Anonymous Recognition<br />
® (AR) is intended to address the need for a system<br />
that provides a centralized database of biometric data<br />
that is separate and distinct from biographical and other<br />
private data, a system that isolates personal data (PII)<br />
in such a fashion that it cannot be compromised by the<br />
authentication process itself. AR includes a secure repository<br />
of fully searchable and readily available multimodal<br />
biometric data, collected on a voluntary basis, for<br />
real time authentication of an individual’s claim of identity.<br />
It establishes and maintains a link with the unique<br />
identity of each registered individual without access to<br />
actual personal and private information. AR will accommodate<br />
multiple biometric modalities and provide accurate,<br />
high-volume, high-speed, authentication while fully<br />
protecting the private information of the individual by<br />
maintaining personal anonymity within the system.<br />
Properly implemented, verification of a person’s identity<br />
through biometrics provides the government or organiza-<br />
Version 2 – Summer 2008
<strong>Biometric</strong> <strong>Technology</strong> <strong>Application</strong> <strong>Manual</strong> Section 7 55<br />
tion with no more information about a person than it had<br />
before. <strong>Biometric</strong> technology becomes a vastly enhanced<br />
tool to accomplish the mission of thwarting false authentication.<br />
With proper education and system orientation, users<br />
will understand and accept this fact, especially when<br />
they can be assured that policies and procedures are in<br />
place to prevent abuse, protect personal information, and<br />
minimize the impact on privacy and civil liberties.<br />
<strong>Biometric</strong>s Role in Privacy and Identity Protection<br />
<strong>Biometric</strong> technology, effectively employed, has a significant<br />
capability to protect the personal identity and<br />
privacy of its users. An initial level of protection is accomplished<br />
simply by enrolling the individual into a biometric<br />
identity assurance infrastructure. For most individuals,<br />
this is the first opportunity they have experienced<br />
to have their true and unique identity established in a<br />
highly accurate and readily available form, secure from<br />
accidental, casual, or intentional theft or misuse. This is<br />
not a trivial benefit considering the threat people face<br />
today. A second benefit, when effectively employed, is<br />
the degree of control over their identity information and<br />
all related personal data bestowed on the individual by<br />
their participation in the identity assurance system. Essentially,<br />
they must voluntarily contribute their live feature<br />
to unlock the privilege of access to their data. Nothing<br />
exists today that provides an equivalent degree of<br />
protection in this specific function. A third benefit relates<br />
to the audit trail associated with any inquiry for access to<br />
personal data. Creation of a record of access when such<br />
access requires biometric insertion provides another<br />
layer of security. A fourth benefit addresses the security<br />
and convenience issue of password and PIN elimination<br />
available in many biometric applications. The necessity<br />
Version 2 – Summer 2008
Section 7 56 <strong>Biometric</strong> Social and Cultural Implications<br />
and almost always insecure need present today to maintain<br />
an extensive record of passwords or alphanumeric<br />
codes can be effectively replaced by biometric enrollment<br />
when the scale of use becomes universal.<br />
The inherent capabilities of the technology, enhanced<br />
by evolving improvements and enhancements in application<br />
techniques, have enormous potential for use<br />
in protecting personal privacy, safeguarding against the<br />
economic and emotional loss experienced from identity<br />
theft, and restoring rightful identity status in the aftermath<br />
of such an experience.<br />
Best Practices for <strong>Biometric</strong>s Deployment<br />
Relating to Privacy 139<br />
Although it is widely acknowledged that addressing privacy<br />
concerns is a major factor in the deployment of systems<br />
using biometrics, there is still much confusion, uncertainty,<br />
and resulting frustration regarding the impact<br />
biometrics have on privacy.<br />
“Best practices” can help decrease confusion and build<br />
awareness of how biometrics impact privacy—whether<br />
real or perceived—and how best to deploy, explain, and<br />
maintain a privacy-friendly biometric system. In addition<br />
to the technical and cost aspects of deploying a biometric-based<br />
system, privacy is one of the most important<br />
issues to be addressed.<br />
139 According to Best Practices for Privacy-Sympathetic <strong>Biometric</strong> De-<br />
ployment, IBG BioPrivacy Initiative.<br />
Version 2 – Summer 2008
<strong>Biometric</strong> <strong>Technology</strong> <strong>Application</strong> <strong>Manual</strong> Section 7 57<br />
The following guidelines 140 provide companies and organizations<br />
(public or private) with a better understanding<br />
of the types of issues that must be addressed when<br />
deploying, using, and maintaining a biometric system.<br />
These guidelines are applicable to most biometric applications,<br />
as some may not be appropriate for certain<br />
situations, uses, or technologies. The guidelines [developed<br />
by International <strong>Biometric</strong> Group] that follow can<br />
be used as a checklist by biometric technology vendors,<br />
system designers and integrators, buyers, users, and others<br />
to help protect against privacy-invasive systems.<br />
Scope and Capabilities 141<br />
1. Scope Limitation:<br />
<strong>Biometric</strong> deployments should<br />
not be expanded to perform broader verification or<br />
identification-related functions than originally intended.<br />
Any expansion or retraction of scope should<br />
be accompanied by full and public disclosure under<br />
the oversight of an independent accounting body,<br />
allowing individuals to opt-out of the system usage,<br />
if possible.<br />
2.<br />
No Establishment of a Universal Unique Identifier:<br />
<strong>Biometric</strong> information should not be used as a<br />
universal unique identifier. 142 Sufficient protections<br />
140 Accofding to Best Practices for Privacy-Sympathetic <strong>Biometric</strong> De-<br />
ployment, IBG BioPrivacy Initiative.<br />
141 According to Best Practices for Privacy-Sympathetic <strong>Biometric</strong><br />
Deployment, IBG BioPrivacy Initiative.<br />
142 Universal Unique Identifiers facilitate the gathering and collection<br />
of personal information from various databases and can represent a<br />
significant threat to privacy, if misused.<br />
Version 2 – Summer 2008
Section 7 58 <strong>Biometric</strong> Social and Cultural Implications<br />
should be in place to prevent, to the degree possible,<br />
biometric information from being used as a universal<br />
unique identifier.<br />
3. Limited Storage of <strong>Biometric</strong> Information:<br />
<strong>Biometric</strong><br />
information should only be stored for the specific<br />
purpose of usage in a biometric system and not be<br />
stored any longer than necessary. <strong>Biometric</strong> information<br />
should be destroyed, deleted, or otherwise<br />
rendered useless when the system is no longer operational;<br />
specific user information should be destroyed,<br />
deleted, or otherwise rendered useless<br />
when the user is no longer expected to interact with<br />
the system. 143<br />
4. Evaluation of Potential System Capabilities:<br />
When<br />
determining the risks a specific system might pose<br />
to privacy, the system’s potential capabilities should<br />
be assessed in addition to risks involved in its intended<br />
usage. 144<br />
5.<br />
Limit Collection or Storage of Extraneous Information:<br />
The non-biometric information collected<br />
143 This also applies to references generated during comparison attempts,<br />
such as a reference generated in the verification stage of a 1:1<br />
application.<br />
144 Few systems are deployed whose initial operations are manifestly<br />
privacy-invasive. Instead, systems may have latent capabilities, such<br />
as the ability to perform 1:N searches or the ability to be used with<br />
existing databases of biometric information, which could have an<br />
impact on privacy. Although systems with the potential to be used<br />
in a privacy-invasive manner can still be deployed if accompanied by<br />
proper precautions, their operations should be monitored, and the<br />
maximum protections possible should be taken to prevent internal or<br />
Version 2 – Summer 2008
<strong>Biometric</strong> <strong>Technology</strong> <strong>Application</strong> <strong>Manual</strong> Section 7 59<br />
for use in a biometric verification or identification<br />
system should be limited to the minimum necessary<br />
to make the system functional. 145<br />
6. No Storage of Original <strong>Biometric</strong> Data:<br />
If consistent<br />
with basic system operations, biometric data in an<br />
identifiable state, such as a facial image, fingerprint,<br />
or vocal recording, should not be stored or used in a<br />
biometric system other than for the initial purposes<br />
of generating a reference. After reference generation,<br />
the identifiable data should be destroyed, deleted,<br />
or otherwise rendered useless. 146<br />
Data Protection 147<br />
7. Protection of <strong>Biometric</strong> Information:<br />
<strong>Biometric</strong> information<br />
should be protected at all stages of its lifecycle,<br />
including storage, transmission, and matching.<br />
148<br />
145 In most systems, personal information will already exist independently<br />
of the biometric information, such that there is no need to collect<br />
personal information again.<br />
146 This is to prevent the storage of fingerprints and facial images as<br />
opposed to finger-scan and facial-scan references.<br />
147 According to Best Practices for Privacy-Sympathetic <strong>Biometric</strong><br />
Deployment, IBG BioPrivacy Initiative.<br />
148 The protections enacted to protect biometric information may<br />
include encryption, private networks, secure facilities, administrative<br />
controls, and data segregation. The protections that are used within a<br />
given deployment are determined by a variety of factors, including the<br />
location of storage, location of matching, the type of biometric used,<br />
the capabilities of the biometric system, which processes take place in a<br />
trusted environment, and the risks associated with data compromise.<br />
Version 2 – Summer 2008
Section 7 60 <strong>Biometric</strong> Social and Cultural Implications<br />
8. Protection of Post-Match Decisions:<br />
Data transmissions<br />
resulting from biometric comparisons should be<br />
protected. Although these post-comparison decisions<br />
do not necessarily contain any biometric data,<br />
their interception or compromise could result in unauthorized<br />
access to personal information. 149<br />
9. Limited Access Systems:<br />
Access to biometric system<br />
functions and data should be limited to certain personnel<br />
under certain conditions, with explicit controls<br />
on usage and export set in the system. 150<br />
10. Segregation of <strong>Biometric</strong> Information:<br />
<strong>Biometric</strong><br />
data should be stored separately from personal information<br />
such as name, address, and medical or financial<br />
information. 151<br />
11. System Termination:<br />
A method should be established<br />
by which a system used to commit or facilitate<br />
privacy-invasive biometric matching, searches, or<br />
linking can be depopulated and dismantled. 152<br />
149 This protection is especially important in non-trusted environments<br />
such as the Internet.<br />
150 Multiple-user authentication can be required when accessing<br />
or exposing especially sensitive data. Any access to databases that<br />
contain biometric information should be subject to controls and strong<br />
auditing.<br />
151 Depending on the manner in which the biometric data is stored, this<br />
separation may be logical or physical.<br />
152 The responsibility for making such a determination may rest with<br />
an independent auditing group and would be subject to appropriate<br />
appeals and oversight.<br />
Version 2 – Summer 2008
<strong>Biometric</strong> <strong>Technology</strong> <strong>Application</strong> <strong>Manual</strong> Section 7 61<br />
User Control of Personal Data 153<br />
12. Ability to “Un-enroll”: Individuals should, where<br />
possible, have the right to control usage of their biometric<br />
information and the ability to have it deleted,<br />
destroyed, or otherwise rendered useless upon request.<br />
154<br />
13. Correction of and Access to <strong>Biometric</strong>-related Information:<br />
System operators should provide a<br />
method for individuals to correct, update, and view<br />
information stored in conjunction or association with<br />
biometric information. 155<br />
14. Anonymous Enrollment:<br />
Depending on the operational<br />
feasibility, biometric systems should be designed<br />
such that individuals can enroll with some<br />
degree of anonymity. 156<br />
153 According to Best Practices for Privacy-Sympathetic <strong>Biometric</strong> De-<br />
ployment, IBG BioPrivacy Initiative.<br />
154 This is more applicable to opt-in systems that to mandatory systems.<br />
In certain public sector and employment-related applications, there<br />
is a compelling interest for data to be retained for verification or<br />
identification purposes, such that the option of unenrollment would<br />
render the system inoperable.<br />
155 Failure to provide a means of updating personal information is<br />
inconsistent with basic privacy principles and may lead to increased<br />
likelihood of erroneous decisions.<br />
156 In Web-based environments, where individuals can assume alternate<br />
identities through e-mail addresses or usernames, there may be no<br />
need for a biometric system to know with whom it is interacting so<br />
long as the user can verify his or her original claimed identity.<br />
Version 2 – Summer 2008
Section 7 62 <strong>Biometric</strong> Social and Cultural Implications<br />
Disclosure, Auditing, Accountability, and<br />
Oversight 157<br />
15. Third Party Accountability, Audit, and Oversight:<br />
The operators of certain biometric systems, especially<br />
large-scale systems or those employed in the<br />
public sector, should be held accountable for system<br />
use. As internal or external agents may misuse biometric<br />
systems, independent system auditing and<br />
oversight should be implemented. 158<br />
16. Full Disclosure of Audit Data:<br />
Individuals should<br />
have access to data generated through third-party<br />
audits of biometric systems. 159<br />
17. System Purpose Disclosure:<br />
The purposes for which<br />
a biometric system is being deployed should be fully<br />
disclosed. 160<br />
157 According to Best Practices for Privacy-Sympathetic <strong>Biometric</strong> De-<br />
ployment, IBG BioPrivacy Initiative.<br />
158 Depending on the nature of a given deployment, this independent<br />
auditing body can ensure adherence to standards regarding data<br />
collection, storage, and use.<br />
159 <strong>Biometric</strong> systems that may pose a potential risk to privacy should<br />
be monitored and audited by independent parties. The data derived<br />
from such oversight should be available to facilitate public discussion<br />
on the system’s privacy impact.<br />
160 For example, if individuals are informed the system is to be used<br />
for identity verification, it should not be used for 1:N identification.<br />
Without full disclosure of the purposes for which a system is being<br />
deployed, it is difficult to make informed assessments on the system’s<br />
potential privacy impact.<br />
Version 2 – Summer 2008
<strong>Biometric</strong> <strong>Technology</strong> <strong>Application</strong> <strong>Manual</strong> Section 7 63<br />
18. Enrollment Disclosure:<br />
Ample and clear disclosure<br />
should be provided when individuals are being enrolled<br />
in a biometric system. Disclosure should take<br />
place even if the enrollment references are not being<br />
permanently stored, such as in a monitoring application.<br />
161<br />
19. Matching Disclosure:<br />
Ample and clear disclosure<br />
should be provided when individuals are in a location<br />
or environment where biometric matching (either<br />
1:1 or 1:N) may be taking place without their explicit<br />
consent. 162<br />
20. Disclosure of Use of <strong>Biometric</strong> Information:<br />
Institutions<br />
should disclose the uses to which biometric<br />
data are to be put, both inside and outside a given<br />
biometric system. <strong>Biometric</strong> information should only<br />
be used for the purpose for which it was intended<br />
and within the system for which it was collected unless<br />
the user explicitly agrees to broader usage. There<br />
should be no sanctions applied to any user who does<br />
not agree to broader usage of his/her biometric information.<br />
161 This includes employees enrolled in a facial-scan system through<br />
badge card photos or driver’s license photos, or telephone callers enrolled<br />
in a voice-scan sysstem. Informed consent to the collection, use,<br />
and storage of personal information is a requirement of privacy-sympathetic<br />
system operations.<br />
162 This would include facial-scan technology used in public areas and<br />
fingerprint information taken from employees.<br />
Version 2 – Summer 2008
Section 7 64 <strong>Biometric</strong> Social and Cultural Implications<br />
21. Disclosure of Optional/Mandatory Enrollment:<br />
Ample and clear disclosure should be provided, indicating<br />
whether enrollment in a biometric system<br />
is mandatory or optional. If the system is optional,<br />
alternatives to the biometric should be made readily<br />
available. 163<br />
22. Disclosure of Individuals and Entities Responsible<br />
for System Operation and Oversight: As a precondition<br />
of biometric system operation, it should be<br />
clearly stated who is responsible for system operation,<br />
to whom questions or requests for information<br />
should be sent, and what recourse individuals have<br />
to resolve grievances.<br />
23. Disclosure of Enrollment, Verification, and Identification<br />
Processes: Individuals should be informed<br />
of the process flow of enrollment, verification, and<br />
identification. This includes detailing the type of<br />
biometric and non-biometric information they<br />
will be asked to provide, the results of the successful<br />
and unsuccessful positive verification, and the<br />
results of matches and non-matches in identification<br />
systems. In 1:N systems where matches may<br />
be resolved by human intervention, the means<br />
of determining match or non-match should be<br />
disclosed.<br />
24. Disclosure of <strong>Biometric</strong> Information Protection and<br />
System Protection: Individuals should be informed<br />
of the protections used to secure biometric information,<br />
including encryption, private networks, secure<br />
163 Individuals should be fully aware of their authentication options.<br />
There should be no implication that enrollment in a given system is<br />
compulsory if it is optional.<br />
Version 2 – Summer 2008
<strong>Biometric</strong> <strong>Technology</strong> <strong>Application</strong> <strong>Manual</strong> Section 7 65<br />
facilities, administrative controls, and data segregation.<br />
25. Fallback Disclosure:<br />
When available, alternative authentication<br />
processes should be available for individuals<br />
to review if they are unable or unwilling to<br />
enroll in a biometric system. These alternative procedures<br />
should be neither punitive nor discriminatory<br />
in nature.<br />
To address privacy concerns associated with various<br />
biometric-based programs, comprehensive privacy controls<br />
should be put into place. Such controls include:<br />
–<br />
–<br />
–<br />
–<br />
–<br />
–<br />
Educating system users through transparency of the<br />
program, including development and publication<br />
of a Privacy Policy that will be disseminated prior to<br />
the time information is collected from users.<br />
Establishing a privacy sensitivity awareness program<br />
for system operators.<br />
Establishing a privacy officer and implementation<br />
of an accountability program for those responsible<br />
for compliance with the published Privacy<br />
Policy.<br />
Periodically reviewing data to ascertain that the<br />
collection is limited to what is necessary for stated<br />
purposes.<br />
If appropriate, establishing usage requirements<br />
between the organizations and agencies authorized<br />
to have access to the data.<br />
To the extent permitted by law, regulations, or poli-<br />
Version 2 – Summer 2008
Section 7 66 <strong>Biometric</strong> Social and Cultural Implications<br />
•<br />
•<br />
cy, establishing an opportunity for covered individuals<br />
to gain access to their information and/or allow<br />
them to challenge its completeness or integrity.<br />
Maintaining security safeguards (physical, electronic,<br />
and procedural) consistent with federal and state<br />
laws and policies to limit access to personal information<br />
only to those with appropriate rights, and to<br />
protect information from unauthorized disclosure,<br />
modification, misuse, and disposal whether intentional<br />
or unintentional.<br />
Establishing administrative controls to prevent improper<br />
actions due to data inconsistencies from multiple<br />
information sources.<br />
There are significant privacy and civil liberties concerns<br />
regarding the use of biometric-based systems that must<br />
be addressed before any should be deployed. There are<br />
six primary areas of concern:<br />
1. Storage:<br />
How is the data stored, centrally or dispersed?<br />
How should scanned data be retained?<br />
2. Vulnerability:<br />
How vulnerable is the data to theft or<br />
abuse?<br />
3. Confidence:<br />
How much of an error factor in the technology’s<br />
authentication process is acceptable? What<br />
are the implications of false positives and false negatives<br />
created by a machine?<br />
4. Authenticity:<br />
What constitutes authentic information?<br />
Can that information be tampered with?<br />
5. Linking:<br />
Will the data gained from scanning be<br />
Version 2 – Summer 2008
<strong>Biometric</strong> <strong>Technology</strong> <strong>Application</strong> <strong>Manual</strong> Section 7 67<br />
linked with other information about spending habits,<br />
etc? What limits should be placed on the private<br />
use (as contrasted to government use) of such technology?<br />
6. Ubiquity:<br />
What are the implications of having an<br />
electronic trail of a person’s every movement if<br />
cameras and other devices become commonplace,<br />
used on every street corner and every means of<br />
transportation?<br />
Examples of Privacy Codes or Best Practices<br />
OECD 164 Guidelines<br />
The OECD is an international organization, currently<br />
made up of 30 member countries, that creates a forum<br />
to “discuss, develop, and refine economic and social policies.”<br />
The OECD Guidelines’ eight privacy principles are:<br />
1. The Collection Limitation Principle:<br />
This principle<br />
states that there should be limits to the collection<br />
of personal data and that any such data should be<br />
obtained only by lawful and fair means and, where<br />
appropriate, with the knowledge and consent of the<br />
individual.<br />
2. The Data Quality Principle:<br />
This principle states<br />
that personal data collected should be relevant to<br />
the purposes for which it is to be used and, to the<br />
extent necessary for such purposes, should be accurate,<br />
complete, and up-to-date.<br />
164 Organization for Economic Cooperation and Development (OECD)<br />
Version 2 – Summer 2008
Section 7 68 <strong>Biometric</strong> Social and Cultural Implications<br />
3. The Purpose Specification Principle:<br />
This principle<br />
states that the purposes for which data is collected<br />
should be specified not later than at the time it is collected,<br />
and that the subsequent use should be limited<br />
to the fulfillment of those purposes or such other<br />
purposes that are not incompatible with the stated<br />
purposes and as are specified on each occasion of<br />
change of purpose.<br />
4. The Use Limitation Principle:<br />
This principle states<br />
that personal data should not be disclosed, made<br />
available, or otherwise used for purposes other than<br />
those purposes in accordance with the “Purpose<br />
Specification Principle” except (a) with the individual’s<br />
consent or (b) with the authority of law.<br />
5. The Security Safeguards Principle:<br />
The principle<br />
states that personal data should be protected by<br />
reasonable security safeguards against such risks as<br />
loss, misuse, unauthorized access or disclosure, and<br />
modification.<br />
6. The Openness Principle:<br />
This principle states that<br />
there should be a general policy of openness about<br />
development, practices, and policies with respect<br />
to personal data. This principle further states that<br />
means should be readily available for establishing<br />
the existence and nature of personal data, the purpose<br />
of its use, and the identity and location of the<br />
data controller. [This principle and the two following<br />
clearly imply that there should be a designated “data<br />
controller.”]<br />
The Individual Participation Principle<br />
7. : This principle<br />
states that an individual should have certain<br />
rights with respect to his/her personal data, includ-<br />
Version 2 – Summer 2008
<strong>Biometric</strong> <strong>Technology</strong> <strong>Application</strong> <strong>Manual</strong> Section 7 69<br />
ing (a) the right to receive confirmation from the<br />
data controller as to whether the data controller has<br />
the individual’s personal information, (b) the right to<br />
have data related to him/her communicated to him/<br />
her within a reasonable time, in a reasonable matter,<br />
in an intelligible form, and at a cost (if any) that is not<br />
excessive, (c) the right to be given the reason for any<br />
denial of any such requests, and (d) the right to seek<br />
corrections to his/her personal data.<br />
8. The Accountability Principle:<br />
This principle states<br />
that the data controller should be accountable for<br />
complying with measures that give effect to the<br />
above principles. [This principle implies there should<br />
be such accountability and data control measures in<br />
place, e.g., in the form of a protocol.]<br />
Because of OECD’s unique role in the global community,<br />
it is an excellent outlet for discussing biometrics and the<br />
ensuing privacy concerns. Indeed, this is why the OECD<br />
Guidelines on the Protection of Privacy and Transborder<br />
Flows of Personal Data (1980) are invaluable to any discussion<br />
of data privacy, nearly 30 years after their adoption.<br />
Although the privacy protections contained in the<br />
document may be outdated, the underlying themes are<br />
still being discussed by OECD countries and non-members<br />
through working groups. This is an encouraging<br />
step toward a more universal definition of privacy, which<br />
will greatly benefit the biometric community by clearly<br />
defining the rules of operation and providing direction<br />
for storage of personal or sensitive data.<br />
Version 2 – Summer 2008
Section 7 70 <strong>Biometric</strong> Social and Cultural Implications<br />
International <strong>Biometric</strong> Industry Association<br />
(IBIA) 165<br />
The IBIA adopted and promulgates through its membership<br />
four principles dealing with biometrics and privacy.<br />
These are:<br />
1.<br />
2.<br />
3.<br />
4.<br />
165 www.ibia.org<br />
<strong>Biometric</strong> data is electronic code that is separate and<br />
distinct from personal information and provides an<br />
effective, secure barrier against unauthorized access<br />
to personal information. Beyond this inherent protection,<br />
IBIA recommends safeguards to ensure that<br />
biometric data is not misused to compromise any information,<br />
or released without personal consent or<br />
the authority of law.<br />
In the private sector, IBIA advocates the development<br />
of policies that clearly set forth how biometric data<br />
will be collected, stored, accessed, and used, and<br />
that preserve the rights of individuals to limit the<br />
distribution of the data beyond the stated purposes.<br />
In the public sector, IBIA believes that clear legal<br />
standards should be developed to carefully define<br />
and limit the conditions under which agencies of national<br />
security and law enforcement may acquire, access,<br />
store, and use biometric data.<br />
In both the public and private sectors, IBIA advocates<br />
the adoption of appropriate managerial and technical<br />
controls to protect the confidentiality and integrity<br />
of databases containing biometric data.<br />
Version 2 – Summer 2008
<strong>Biometric</strong> <strong>Technology</strong> <strong>Application</strong> <strong>Manual</strong> Section 7 71<br />
Anti-Abuse Policy<br />
Whatever combination of principles for protection are ultimately<br />
established, it is also clear that there should be<br />
accountability for safeguarding both biometric data and<br />
the data directly related to personal information, and required<br />
compliance with protocols and policies. Penalties<br />
should be imposed for non-compliance. Penalties already<br />
exist for related violations, such as for theft of personal<br />
information or theft of information on a computer<br />
(i.e., the Computer Fraud and Abuse Act).<br />
In most cases, the existing penalties are imposed on the<br />
person stealing the information. However, imposing penalties<br />
on the keeper of biometric data and personal information<br />
is essential to help guard against abuse and provide<br />
comfort to participants. Such a structure would not<br />
be the first time the law imposed penalties on the keeper<br />
of personal information. For example, the Health Insurance<br />
Portability and Accountability Act (HIPAA) places a<br />
burden on the keeper of health information to maintain<br />
adequate security measures to protect such information<br />
from theft or misuse and imposes penalties for non-compliance.<br />
The penalties on the keeper of biometric information<br />
may, therefore, be somewhat analogous to the HIPAA<br />
security requirements. The penalties, ranging from fines<br />
to imprisonment, should vary depending on the severity<br />
and intent. For example, an inadvertent act or failure<br />
to act that resulted in a system vulnerability without any<br />
actual harm, would warrant a fine as a deterrent for future<br />
negligence. Whereas a deliberate dissemination of<br />
personal information for private gain or other malicious<br />
motive would warrant a much steeper penalty, such as<br />
higher fines and possibly even imprisonment. Repeat of-<br />
Version 2 – Summer 2008
Section 7 72 <strong>Biometric</strong> Social and Cultural Implications<br />
fenders should also be subject to stricter penalties. There<br />
should also be minimum and/or maximum fines and prison<br />
terms to allow judges discretion in sentencing.<br />
Summary<br />
This section provides many different lists and recommendations<br />
regarding usage of biometrics for attaining<br />
a reasonable level of privacy at the same time. They<br />
have been presented in the form they were developed<br />
by others to allow a broader perspective on the issue,<br />
and avoid yet another list sponsored by this publication.<br />
The time has come to seriously consider public policy on<br />
penalties for abuse.<br />
The enabling tool of biometric technology and the passion<br />
for personal privacy that exists in many individuals<br />
and in some societies as a whole are inextricably linked.<br />
It could not be otherwise when the primary function of<br />
that enabling tool is the most accurate capability for identification<br />
or personal recognition yet conceived. We can<br />
fight the onslaught of the technology in a painful, costly,<br />
and ultimately futile attempt to limit its use, or work for a<br />
constructive usage that limits the technical and administrative<br />
potential for abuse and maximizes the benefits to<br />
privacy it offers. The latter is the only rational course.<br />
Section 7, Part III: Societal Issues—User<br />
Acceptance Considerations<br />
The overall success of a biometric system depends, ultimately,<br />
on whether or not people will use it and if they<br />
will use it correctly. To increase the chances that users<br />
Version 2 – Summer 2008
<strong>Biometric</strong> <strong>Technology</strong> <strong>Application</strong> <strong>Manual</strong> Section 7 73<br />
will accept any biometric-based system and be willing<br />
to cooperate with it, the user interface (usually with the<br />
imager/reader) must be easy to use and the purpose for<br />
the biometric system fully explained. If the system is too<br />
difficult or inconvenient to use (for example, users have<br />
to remove glasses, rings, or other items) or a low security<br />
application is set too high (causing high false rejects) and<br />
requiring repeated ID attempts by users, frustrations can<br />
lead to increased error rates, user resistance, and loss of<br />
confidence in the system. Additionally, if users perceive<br />
a biometric technology as being too intrusive, their resistance<br />
to using the technology may also adversely affect<br />
system performance, and even lead to avoidance or<br />
abuse.<br />
Any biometric program must take into account those individuals<br />
who cannot or will not participate in the program—whether<br />
by choice or by circumstance. Some<br />
people, through no fault of their own, cannot provide<br />
the chosen biometric because their characteristics are<br />
not measurable by the imager in use (for example; fingerprints<br />
or irises). No matter the type of biometric feature<br />
being measured, there will always be a small outlier<br />
population of people who simply cannot be enrolled or<br />
identified using that feature. Others, however, may actively<br />
choose not to participate in the biometric system<br />
because of their personal beliefs. While such persons<br />
may comprise a very small fraction of the general user<br />
population, they can be a vocal minority and create an<br />
atmosphere of doubt about the system and the credibility<br />
of its operation. Although such out-spoken criticisms<br />
and perceptions of the system may not prevent eventual<br />
full scale adoption and use of the biometric program, it<br />
could lengthen the deployment cycle if these concerns<br />
are not understood and addressed quickly.<br />
Version 2 – Summer 2008
Section 7 74 <strong>Biometric</strong> Social and Cultural Implications<br />
Some biometric devices also provoke concerns about<br />
hygiene. For example, some people may object to hand<br />
geometry scanners because they do not like to put their<br />
palms on the same surfaces used by many others. It is<br />
interesting that such perspectives do not readily appreciate<br />
the relevance of other common usage such as<br />
doorknobs. Other people may fear devices that scan<br />
(and more properly, image) particularly sensitive areas of<br />
the body, such as the eyes. Generally, if users perceive<br />
that one biometric is less intrusive than another, they are<br />
more likely to readily accept that product. The operative<br />
word is “perceive.”<br />
The Users’ Perspective<br />
Historically, every technological innovation is met by<br />
skepticism, cynicism, fear, and resistance to change;<br />
usually in direct proportion to the threat of personal<br />
intrusion it represents to the individual, as well as the<br />
demands it makes on the level of cooperation required<br />
to fully exploit its potential. There are few examples of<br />
this technological impact stronger then a system that<br />
intrudes on the matter of personal identity. Nevertheless,<br />
the old axiom that “nothing is stronger than an<br />
idea whose time has come” also applies to biometrics.<br />
To avoid a collision of the new technology and the old<br />
tradition, the industry is faced with an educational challenge<br />
of considerable dimension. Before that education<br />
can be useful, one must consider the scope and<br />
nature of the concerns faced by biometrics, both real<br />
and imagined.<br />
It is important to try and understand the logical and<br />
emotional response of the potential users of any<br />
biometric-based identification system. Much of those<br />
Version 2 – Summer 2008
<strong>Biometric</strong> <strong>Technology</strong> <strong>Application</strong> <strong>Manual</strong> Section 7 75<br />
concerns are related to privacy and civil liberties issues<br />
discussed earlier in this section. Not surprisingly, other<br />
concerns emanate from a lack of knowledge about many<br />
aspects of the technology. Does the user really understand<br />
what biometrics are all about? How safe are they?<br />
Are they uncomfortable with the idea of being identified<br />
by a “body part?” How will users react to different biometric<br />
technologies? Are there any cultural, religious, or<br />
political biases? How will their personal biometric data<br />
be used and by whom? Who will be allowed to have access<br />
to that data? Will they be treated like a criminal if<br />
they participate? Other concerns relate to how the biometric<br />
templates or references will be stored and used,<br />
and who will have access to them. There also may be<br />
more general concerns expressed about biometric databases,<br />
and if they will be placed in the custody of governments<br />
or commercial enterprises.<br />
More recently, the expanding problem of identity theft<br />
raises new concerns and promises regarding the role of<br />
biometrics. Will the technology make it easier or harder<br />
for a victim to prove his/her true identity and resolve the<br />
economic and emotional impact? Last, but not least, how<br />
does the threat of international terrorism relate to the<br />
use of biometrics as far as the individual is concerned?<br />
Will this be just another delay at an airport, or a meaningful<br />
way to distinguish the good guys from the bad or the<br />
unknown?<br />
All of these concerns require a response, regardless of<br />
whether the question is based on fact or falsehood. The<br />
FAQ list on every biometric community web site should<br />
be focused on providing the right answers regarding the<br />
accurate capabilities of the technology, as well as on the<br />
limitations experienced in its use known to date. There is<br />
significant empirical evidence that users will readily ac-<br />
Version 2 – Summer 2008
Section 7 76 <strong>Biometric</strong> Social and Cultural Implications<br />
cept the technology and are even excited by its innovation,<br />
when they are adequately and accurately informed<br />
as to its true characteristics.<br />
Religious, Cultural, and Political/Philosophical<br />
Concerns<br />
Other criticisms of the use of biometrics originate on cultural,<br />
religious, and/or political or philosophical grounds.<br />
The population at large may not share such concerns,<br />
but to the extent those who advocate for them have sincerely<br />
held beliefs, they should not be ignored. 166 Other<br />
cultural concerns may include objections to specific<br />
types of technologies or their particular imagers. For example,<br />
their may be cultural objections to facial or eye<br />
photography or imaging, or the imaging of fingerprints,<br />
or any contact with the body.<br />
In the political or philosophical spectrum, the range (if<br />
not the volume) of opposition can be quite broad. Individuals<br />
and groups on both the Left and the Right see<br />
threats to firmly held beliefs from any identification system<br />
that may evolve into wide-ranging usage. National<br />
ID systems are a particularly sensitive issue in this respect,<br />
and originate in part from the 20th Century experience<br />
of abuse of personal identification at the national<br />
level by totalitarian regimes. These are not trivial concerns<br />
and a legitimate interest in promoting the benefits<br />
of biometrics should not dismiss them lightly. On the<br />
contrary, it would be better to focus on design goals and<br />
protective devices that prevent the potential for abuse<br />
that gives rise to such concerns.<br />
166 From <strong>Biometric</strong>s: Identity Assurance in the Information Age. John D.<br />
Woodward. McGraw-Hill. 2003. Pg. 209. Used with permission.<br />
Version 2 – Summer 2008
<strong>Biometric</strong> <strong>Technology</strong> <strong>Application</strong> <strong>Manual</strong> Section 7 77<br />
Educating Users<br />
It is important that biometric system users be educated<br />
appropriately (as to system use, functionality, and the reasons<br />
for its use), have good quality enrollment references,<br />
and be generally pleased or at least satisfied with the<br />
overall system concept and its benefits to them and/or<br />
their organization. The purpose of such education should<br />
not be political orientation, but rather a fully factual exposure<br />
to the technology and its utility. If, after receiving<br />
such education, they elect to not participate (in an opt-in<br />
environment), or only participate on a reluctant basis because<br />
it involves a mandatory program within their organization,<br />
that is, of course, their privilege. Advocacy has<br />
its place in the development of any new technology and<br />
many will take up (or oppose) that cause. Generally however,<br />
advocacy should be distinct from a factual educational<br />
program.<br />
Since most public concern about biometrics arises from<br />
fears that the technology can be misused to invade or<br />
violate personal privacy, the principles, prohibitions, and<br />
anti-abuse measures discussed in detail in this section<br />
should be part of any serious education or training program<br />
in biometrics.<br />
Educating biometric system users includes training,<br />
comprehension of expectations for, and limitations of, the<br />
technology and its devices; and include documentation<br />
regarding the system and its performance requirements.<br />
Such documentation includes, but is not limited to:<br />
•<br />
•<br />
A user’s manual<br />
Policies governing the use of the technology<br />
Version 2 – Summer 2008
Section 7 78 <strong>Biometric</strong> Social and Cultural Implications<br />
•<br />
•<br />
Policies governing the use of biometric references<br />
Policies on storage of all personal data and restrictions<br />
on its use<br />
<strong>Manual</strong>s should be short, simple, and to the point. The<br />
acceptance rate of the users will have greater success if<br />
they feel confident and secure in their knowledge about<br />
the biometric-based system.<br />
User orientation at enrollment or first exposure to the<br />
system is essential to reaching a comfort level for normal<br />
operations. Walkthroughs and trial-runs will help<br />
increase that comfort level and avoid initial concerns<br />
and personal embarrassment if rejections or failures occur.<br />
Such simulations will also help decrease the error<br />
rates by illustrating the system’s performance or window<br />
when the user enters the transaction process. Such first<br />
encounters of operational systems should always be in<br />
the company of an experienced user or administrative<br />
staff.<br />
Summary<br />
There is significant empirical evidence gained from a<br />
number of public, commercially based biometric pilot<br />
programs during the last 10 years that most users are<br />
not only comfortable but even intrigued by the way<br />
biometrics work. Ultimately, this will almost certainly be<br />
the mainstream experience as usage expands. The biometric<br />
community should act accordingly in construc-<br />
Version 2 – Summer 2008
<strong>Biometric</strong> <strong>Technology</strong> <strong>Application</strong> <strong>Manual</strong> Section 7 79<br />
tion of both public and private educational programs in<br />
the technology and its applications.<br />
As always, critics will continue to warn against the use<br />
and abuse of biometrics and when constructive, such<br />
criticism should be carefully considered to improve the<br />
human interface and reduce, where possible, any threat<br />
the technology represents to an individual. In the final<br />
analysis, however, the compelling value biometrics represent<br />
to society will gain and hold widespread acceptance.<br />
As summarized by sociologist Amitai Etzioni: 167<br />
Reliable identifiers could replace the existing patchwork<br />
of passwords that are often forgotten, lost, or<br />
misappropriated. The same identifiers could be used<br />
to ensure that one’s vote is not forged, that one’s credit<br />
card is not misused, that one’s checks are not cashed by<br />
others . . . In short, reliable universal identifiers – especially<br />
biometric ones – could go a long way toward ensuring<br />
that people are secure in their identity, thereby<br />
allowing others to trust that they are who they claim<br />
to be.<br />
167 From Army <strong>Biometric</strong> <strong>Application</strong>s: Identifying and Addressing Sociocultural<br />
Concerns. Chapter 3. RAND 2001. Used with permission.<br />
Version 2 – Summer 2008
<strong>Biometric</strong> <strong>Technology</strong> <strong>Application</strong> <strong>Manual</strong> Section 8 1<br />
Section 8: Trends and Implications<br />
Recording biological features for identification purposes<br />
had its origin in China in the 14th Century. Until recently,<br />
however, using any of these systems were quite labor intensive<br />
requiring manual measurements and tracing of<br />
body parts.<br />
Modern biometric technology traces its roots to the<br />
1930s, when serious research was conducted on using<br />
biometrics to accurately identify individuals for criminal<br />
purposes. Forensic examination, principally based on<br />
fingerprint analysis, benefited by extensive government<br />
funding and resulted in the creation of an effective, highly<br />
automated mainframe-based system of identification<br />
by the 1970s.<br />
Progress in other areas of identification technology, many<br />
related to finding commercial applications for biometrics,<br />
coincided with the advent of microprocessors and personal<br />
computers in the 1980s. This arm of research eventually<br />
led to the establishment of five core technologies<br />
that form the basis for the vast majority of commercial,<br />
off-the-shelf biometric applications. These include:<br />
•<br />
•<br />
•<br />
Fingerprints: Using various sensors to capture the<br />
surface or sub-dermal image of a live fingerprint<br />
Hand-geometry: Measuring the length of the fingers<br />
and their relationship to each other<br />
Iris Recognition: Using a video camera to acquire a<br />
detailed image of the color patterns inherent in the<br />
eye’s iris<br />
Version 2 – Summer 2008
Section 8 2 Trends and Implications<br />
•<br />
•<br />
Facial Recognition: Using a camera to collect an image<br />
that is analyzed through the use of various types<br />
of two-and three-dimension processing<br />
Voice Recognition: Analyzing the unique audio “signature”<br />
of a person’s voice<br />
The common thread through all of these technologies<br />
is the speed of image acquisition and information processing<br />
provided by modern computers, aided by the<br />
advance of signal processing and PC-based statistical<br />
techniques not feasible in earlier, manual processes.<br />
Trends<br />
Despite the prominence of the principal biometric technologies<br />
noted above, several trends are worth noting<br />
that will continue to expand the uses for, and accuracy<br />
of, biometrics for a wide range of commercial and government<br />
uses. These include:<br />
•<br />
•<br />
•<br />
•<br />
Experimenting with new biometrics that may be<br />
used alone or in conjunction with other biometrics<br />
to improve identity under unique or challenging<br />
conditions<br />
Improving the core technologies that make them<br />
more accurate and more useful to the community of<br />
end users<br />
Reducing the price of biometrics by developing lowcost<br />
sensors and efficient, plug-and-play solutions<br />
Combining more than one biometric into “fused” or<br />
multi-modal applications to improve accuracy<br />
Version 2 – Summer 2008
<strong>Biometric</strong> <strong>Technology</strong> <strong>Application</strong> <strong>Manual</strong> Section 8 3<br />
•<br />
Developing new approaches that address privacy<br />
concerns and in turn expand the use of biometrics to<br />
reduce the costs of identity fraud.<br />
New <strong>Biometric</strong>s<br />
There are a number of new biometrics that are at some<br />
stage of product development and have either received<br />
media attention or have been singled out by the biometric<br />
community for their ongoing significance (refer to<br />
Section 3). The nature of biometric research means that<br />
any list, such as it appears here, is unlikely to be all-inclusive;<br />
other technologies are certain to emerge in the near<br />
future. Some of these will develop as viable competitors,<br />
while others will no doubt fade from sight as impractical,<br />
ill-founded, or too expensive. It is the purpose of this<br />
section to review the current trends in biometrics and to<br />
draw some implications from these trends.<br />
DNA<br />
• : DNA has established itself as a widely accepted<br />
personal identifier and, like fingerprint analysis, is often<br />
used in court to substantiate various claims or to<br />
discredit others. As a biometric identifier, however,<br />
in the sense of iris, voice, hand-geometry, and facial<br />
recognition, DNA recognition is presently confronted<br />
with two key challenges: collection and processing<br />
issues. Present technology is not capable of obtaining<br />
a DNA sample, processing it, and reporting results<br />
fast enough to be useful as part of an access control<br />
system where relatively high-speed throughput is<br />
required. Also, since DNA can be used to identify a<br />
large number of genetic predispositions for various<br />
diseases and limitations, privacy issues are numerous<br />
and not easily addressed. One company, however, is<br />
using plant DNA embedded in books and other pa-<br />
Version 2 – Summer 2008
Section 8 4 Trends and Implications<br />
per products to verify ownership.<br />
• Fingernail Patterns:<br />
As fingernails grow, they leave<br />
grooves or ridges on the nail bed that can be imaged<br />
in infrared light. At least one company is attempting<br />
to develop products to exploit this phenomenon.<br />
• Gait Recognition:<br />
The challenge to counter-terrorist<br />
professionals is how to capture biometric features<br />
without the subject being aware of the collection effort,<br />
and then use this information for subsequent application.<br />
Toward this end, there is ongoing research<br />
being conducted into how people can be identified<br />
by their gait as they walk.<br />
• Olfactory Recognition (Odor Analysis) : Some scientists<br />
suggest that a person’s body odor is sufficiently<br />
unique as to be usable as a biometric reference.<br />
• Retina:<br />
At a recent biometric conference, a new company<br />
appeared as an exhibitor with a fresh approach<br />
to retina imaging that enables the process to occur<br />
at six-12 inches, or greater, between the imager and<br />
the subject using conventional, unfocused light, providing<br />
distinct improvements over an older retinal<br />
product and overcoming key points in customer resistance.<br />
If successful, this method could overcome<br />
user objections to the technology that earlier prevented<br />
its general acceptance in the marketplace.<br />
• Skin <strong>Biometric</strong>s:<br />
Work has been done to use the arrangement<br />
of sweat pores on a person’s hands as a<br />
biometric identifier.<br />
Vein Patterns<br />
• : Several companies have recently discussed<br />
biometric recognition using the patterns of<br />
Version 2 – Summer 2008
<strong>Biometric</strong> <strong>Technology</strong> <strong>Application</strong> <strong>Manual</strong> Section 8 5<br />
veins in the palm and back of the hand. Fujitsu, for<br />
example, claims to have completed at least two sales<br />
to major client for their technology.<br />
There are at least three key challenges facing these and<br />
other new biometric technologies that seek marketplace<br />
acceptance: persistence, scientific basis, and richness of<br />
data.<br />
1. Persistence.<br />
Persistence refers to the durability of a<br />
biometric over time to resist change due to aging,<br />
illness, or injury. Characteristics that change significantly<br />
within a month or so would require constant<br />
re-enrollment and would introduce potential for<br />
various types of errors. Even mainstream biometrics<br />
must continue to deal with these issues through constant<br />
refinement of their processing algorithms.<br />
2. Scientific Basis.<br />
It is not sufficient that something<br />
seems to work without a clear understanding of why<br />
it works. There must be a solid scientific explanation<br />
for how the appearance of a physical feature<br />
supports its use for identification. Companies have<br />
been known to spend four, five, six, or more years in<br />
pure research and development to fully establish the<br />
science behind the advancement.<br />
Richness of Data Points<br />
3. . Tied closely to the scientific<br />
basis description, is a requirement that there be a sufficient<br />
richness of data to accept these features and<br />
be randomly distributed for unique identification.<br />
Clear evidence that the quality of “uniqueness” exists<br />
is essential. The more data points there are, the more<br />
effective the algorithms will be in creating, searching<br />
for, and verifying the biometric template.<br />
Version 2 – Summer 2008
Section 8 6 Trends and Implications<br />
Improved <strong>Technology</strong><br />
The computer revolutionized biometrics. Imaging or<br />
capturing and processing fine details of fingerprints, irises,<br />
and voice waveforms were simply not cost-effective<br />
or practical prior to the personal computer. Between<br />
the early 1940s and the late 1970s, existing computers—<br />
mainly mainframes—could conceivably perform many<br />
of the computational tasks, but it would have been impractical<br />
to attempt. Also, during this period, there was<br />
not a sufficient perception of the threat to drive that type<br />
of application. This macro trend actually comprises several<br />
trends.<br />
• Cost of Processing:<br />
Personal computers require little<br />
space and are affordable by most. While “Moore’s<br />
Law” produced ever-faster processing speeds, prices<br />
dropped to the point where cost was no longer a<br />
barrier to research. Under such circumstances many<br />
scientists and engineers can now develop and improve<br />
their own information processing techniques<br />
and algorithms in the comfort of their homes or personal<br />
workshops, thus lowering the cost of entry for<br />
innovative, but cash-strapped entrepreneurs.<br />
The same phenomenon applies to pre-programmed<br />
and programmable microprocessors that are at the<br />
core of many biometric devices. Continuing advances<br />
in circuit fabrication, which in turn enable significant<br />
improvements in processing power, are being<br />
packaged in smaller, cheaper units that speed up the<br />
development of market-ready components.<br />
Memory<br />
• : Likewise, the capacity of computer processing<br />
units (CPUs) and memory devices has increased<br />
and prices have plummeted even more dra-<br />
Version 2 – Summer 2008
<strong>Biometric</strong> <strong>Technology</strong> <strong>Application</strong> <strong>Manual</strong> Section 8 7<br />
matically. With each incremental increase in capacity<br />
(and drop in price), the time required to process information<br />
from a biometric device and make a useful<br />
and reliable decision is shortened.<br />
• Databases:<br />
With memory expansion and improved<br />
32- and 64-bit processing, creating and searching<br />
massive databases has become feasible. Millions of<br />
records can be examined in less than a second, enabling<br />
manufacturers to devise and deploy biometric<br />
systems on a global basis.<br />
•<br />
•<br />
Algorithms: Every biometric technology relies on<br />
proprietary and sophisticated algorithms that can<br />
convert an image into a useful means of establishing<br />
a template that can be used to create, store, and retrieve<br />
a biometric record. Ongoing development has<br />
made such algorithms extremely efficient at searching<br />
large scale databases in short amounts of time, or<br />
at combining multiple biometrics into a unique “signature”<br />
that helps to narrow down the task of verifying<br />
identity.<br />
<strong>Biometric</strong>s at a distance: This topic, of enormous interest<br />
to the defense and homeland security communities,<br />
is targeted at the acquisition of biometric identity<br />
without the knowledge of the individual. Some<br />
of this research combines powerful cameras with<br />
complex algorithms to produce high quality face images,<br />
iris images, and gait signatures that may create<br />
a useful picture of the person at interest. While the<br />
results of this research are inconclusive to date, the<br />
commercial applications are potentially significant:<br />
better iris recognition capabilities that are derived<br />
from the ability to capture the image at a distance<br />
without the active participation of the user could<br />
Version 2 – Summer 2008
Section 8 8 Trends and Implications<br />
•<br />
streamline access control processes and provide a<br />
higher level of identity assurance.<br />
Nanotechnology: This is another trend that has fired<br />
an imaginations. The trend toward miniaturization<br />
and micro-miniaturization has a twofold impact on<br />
biometrics. First, it has enabled biometric devices<br />
and systems to shrink from something the size of a<br />
toaster to a device smaller than a fingernail. Second,<br />
it facilitates the exploration and use of human features<br />
not presently amendable for use as a biometric<br />
identifier. For example, does a nano-scale device in<br />
the blood stream provide a necessary interface with<br />
external technology to enable the collection and<br />
pre-processing of DNA? Such issues are speculative<br />
at the present time regarding the biometric applications<br />
of nanotechnology, but it is an area that is<br />
bound to lead to improvements in biometric identity<br />
applications.<br />
Falling System and <strong>Application</strong> Prices<br />
<strong>Biometric</strong> systems that only recently cost U. S.<br />
$2,000–$5,000 per portal are now becoming available<br />
for a fraction of that cost. Meanwhile, prices for central<br />
processing or the “head-end system” are also falling.<br />
A factor driving the cost of biometric technology is the<br />
need for the innovating companies to recoup their nonrecurring<br />
engineering and product design costs within a<br />
reasonable period of time. Because the original products<br />
were so expensive, the demand for them was limited to<br />
a few very high-security installations. The small number<br />
of sales forced the manufacturers to price their products<br />
high enough to recover their expenses.<br />
Version 2 – Summer 2008
<strong>Biometric</strong> <strong>Technology</strong> <strong>Application</strong> <strong>Manual</strong> Section 8 9<br />
With the exception of unique high-end products ( a thermal<br />
imaging biometric that requires liquid nitrogencooled<br />
cameras costs well over U. S. $15,000), almost every<br />
biometric system on the market today is comprised of<br />
components costing just a few dollars. Even the software<br />
comes on a CD that, in quantity, costs U. S. $0.10 or less.<br />
The difference between the cost of packaging and assembling<br />
these components and the street price asked is an<br />
amount intended to cover the original development cost<br />
and profit. While the profit component remains, the perceived<br />
need to recover the development cost on few sales<br />
is softening and manufacturers are beginning to realize<br />
that the demand for biometric technology is far more<br />
extensive than earlier thought. Volume sales from lower<br />
prices are now resulting in a quicker recovery of investment<br />
capital as more end users are able to afford to make<br />
biometrics a part of their security solution.<br />
Combined <strong>Biometric</strong>s<br />
In recent years, there has been a trend toward combining<br />
two or more biometrics to improve the performance of a<br />
system that would otherwise rely on a single, stand alone<br />
biometric. This makes sense, especially for what could<br />
be termed as “low power” biometrics, that is, devices that<br />
have fairly high error rates. If two dissimilar technologies<br />
(e.g., face recognition and fingerprints, iris and voice recognition)<br />
are combined, then the “fused” result should<br />
collectively show some improvement in performance.<br />
Dr. John Daugman, however, has written a seminal paper<br />
168 on the subject of combining biometrics. The docu-<br />
168 Combining Multiple <strong>Biometric</strong>s. John Daugman, The Computer Labo-<br />
ratory, Cambridge University, UK.<br />
Version 2 – Summer 2008
Section 8 10 Trends and Implications<br />
ment points out that such an improvement, while realized<br />
on one hand, comes at a performance price on the<br />
other hand that may obviate any new value of the combination.<br />
Depending on the intended use and the security<br />
threshold that is required, it may be better to buy<br />
one more expensive biometric system that has a superior<br />
performance profile to the fused or multi-modal solution.<br />
Certainly, when contemplating the combination<br />
of two highly accurate biometrics, such as an advanced<br />
fingerprint system and iris recognition, any gains or improvements<br />
resulting from the combination of the two<br />
are likely to be only statistical advancements at best, with<br />
operational differences that are not likely to be observed<br />
or useful in anything other than the most demanding security<br />
environments. Even in such cases, the difference<br />
may only be measurable in a system involving tens of<br />
millions of transactions annually.<br />
Privacy Issues<br />
During the first years of the current era of biometric<br />
technology - that is, since 1980 - the focus of<br />
entrepreneurial attention was simply on getting the<br />
product to work. Also during this period, biometrics<br />
as a field, was still an arcane discipline. With overall<br />
improvements and the innovation of newer biometric<br />
products, there is an increasing sense of public<br />
awareness of biometrics. This, in turn, has prompted a<br />
burgeoning concern about the use of the technology in<br />
relation to privacy matters, and how each new biometric<br />
technology or application may further erode personal<br />
privacy. Such concerns extend development time<br />
and costs, and, in some instances, impose additional<br />
recurring costs to produce devices that help address the<br />
issues of privacy and public acceptance.<br />
Version 2 – Summer 2008
<strong>Biometric</strong> <strong>Technology</strong> <strong>Application</strong> <strong>Manual</strong> Section 8 11<br />
This situation creates both a real and perceptive barrier<br />
to the wide-scale adoption of biometrics to solve such<br />
entrenched problems as identity fraud. Identity theft<br />
is causing the financial, healthcare and social services<br />
sectors well over $100 billion per year, but end-users are<br />
reluctant to counteract the problem through the use of<br />
biometrics until privacy issues are fully sorted out.<br />
A major development that shows promise for resolving<br />
this standoff is Anonymous Recognition ® (AR). AR, an<br />
initiative by the NBSP, permanently separates personal<br />
information from biometric data by creating a personal<br />
reference code. AR, needing only this code to confirm if<br />
the identity is legitimate, can inform the inquiring entity<br />
of the match or non-match without knowing anything<br />
about the enrolled user. In practice this could mean<br />
that biometric identification would not continue to be<br />
stovepiped within a single application, organization, or<br />
even sector.<br />
Implications<br />
All of these trends, collectively and separately, bode well<br />
for the biometric industry. The current portfolio of five<br />
to six leading biometrics are becoming commonplace<br />
and generally well-accepted by the public. While fingerprints<br />
have been used successfully for decades and have<br />
found a high level of acceptance in forensic circles, the<br />
other biometrics are gaining respectability and support<br />
among a diverse group of end-users. The portfolio of<br />
newer biometric technologies is rich with ideas and creativity<br />
that, combined with the other trends in computer<br />
technology and processing, are likely to result in other viable<br />
biometrics. For all of these, the price trends toward<br />
more affordable biometric technology will contribute to<br />
Version 2 – Summer 2008
Section 8 12 Trends and Implications<br />
the adoption and proliferation of biometrics throughout<br />
society. Although troublesome to some members of the<br />
community, the persistent scrutiny by privacy advocates<br />
will also tend to produce more efficient biometric systems<br />
and application policies that emphasize collection<br />
and use of minimal information for effective function,<br />
while rigorously safeguarding anything that could be<br />
construed as personal information.<br />
New <strong>Biometric</strong>s<br />
The human body continues to show rich potential for<br />
new biometric devices. As the capability to image smaller<br />
pieces of anatomy is continually refined, along with<br />
the ability to make sense out of a seeming jumble of data,<br />
new and effective biometric tools are likely to emerge.<br />
The challenge to innovators in this area is whether the<br />
new biometric really represents an advancement in performance<br />
over established technology, or is merely an<br />
attempt to exploit the “gee whiz” factor.<br />
Improved <strong>Technology</strong><br />
The single most significant trend in biometrics is the ongoing<br />
improvements in computer technology. Machines<br />
the size of a deck of cards can now perform computational<br />
magic in seconds that 50 years ago would have required<br />
a room full of equipment and days, if not weeks,<br />
to process. Surface-mount circuit fabrication and other<br />
manufacturing processes enable creation of biometric<br />
products that can be integrated into virtually any other<br />
system.<br />
Version 2 – Summer 2008
<strong>Biometric</strong> <strong>Technology</strong> <strong>Application</strong> <strong>Manual</strong> Section 8 13<br />
Improved Processing<br />
As products move from the prototype phase into routine<br />
production, the software that performs the essential<br />
identification protocols is optimized and refined with corresponding<br />
advances in processing speed and decisionmaking.<br />
Combined with the newer 32- and 64-bit CPUs,<br />
optimized software applications leap forward by orders<br />
of magnitude in the time to perform necessary functions<br />
and calculations. Another result of the improved<br />
processing algorithms and technology is significant improvement<br />
in error rates. Better image collection leads<br />
to a sharp reduction in the Failure to Acquire error rate,<br />
as well as improved False Reject and False Accept error<br />
rates. Improved error rates, in turn, lead to greater customer<br />
satisfaction.<br />
Miniaturization<br />
New manufacturing techniques and investments in<br />
nano-technology contribute significantly to improved<br />
processing speeds and image capture, as well as new<br />
product innovations. Imagine a facial recognition system<br />
built into the frame of a pair of glasses with the identification<br />
information being fed to and imaged on one of the<br />
lenses or whispered into the ear of the wearer. The only<br />
limiting factor seems to be the irreducible size and shape<br />
of the human body, where the miniaturization of some<br />
components, such as a fingerprint platen, must stop at<br />
the size of a thumbprint. There are fingerprint recognition<br />
systems on the market today completely encased in<br />
a package the size of a key fob or appear only as a tiny,<br />
2cm wide slot on a laptop keyboard. Only the size of the<br />
fingerprint platen and the battery are needed to power<br />
it.<br />
Version 2 – Summer 2008
Section 8 14 Trends and Implications<br />
Prices<br />
Lower prices will serve to make biometric products<br />
more ubiquitous and help gain universal acceptance.<br />
In the past, biometric products were generally limited<br />
to high-security installations not because they were too<br />
exotic for common use but because they were too expensive<br />
to justify for simpler applications. As the cost of<br />
biometric technology falls, this obstacle will disappear.<br />
Use of a biometric to open a garage door rather than<br />
an opener/transmitter with a random number generator<br />
inside made no economic sense a year ago. Now, consumers<br />
can purchase a biometrically based transmitter<br />
that performs the same function but with much greater<br />
security for virtually the same price.<br />
Combined <strong>Biometric</strong>s<br />
In principle, the combination of two more inexpensive<br />
but low power biometrics could result in an affordable<br />
biometric system with at least moderate power and utility.<br />
As more powerful biometrics fall in price, however,<br />
they become more cost-competitive with the combined<br />
biometric solutions, thus neutralizing any benefit one<br />
might have obtained from the combined system. Such<br />
fused or multi-modal biometrics might have obtained<br />
from the combined system. Such fused or multi-modal<br />
biometrics may have applications in which marginally<br />
reliable data are combined into a single representation<br />
that may be of use for low-security or biometrics-at-adistance<br />
purposes.<br />
Version 2 – Summer 2008
<strong>Biometric</strong> <strong>Technology</strong> <strong>Application</strong> <strong>Manual</strong> Section 8 15<br />
Privacy Issues<br />
As biometrics move into the mainstram of securityrelated<br />
technology, questions about the preservation<br />
of privacy have continued to affect the scope in which<br />
biometric solutions are deployed. Each new biometric<br />
or advancement in a current product can expect to address<br />
questions about the benefits of a product against<br />
privacy concerns. Specifically, how that product can, in<br />
theory and practice, track and report the movements<br />
of individuals. In the past, these issues were raised by<br />
independent privacy advocates who were predisposed<br />
to opposing the introduction of biometric technology.<br />
While this group remains vocal in their skepticism about<br />
biomertrics, the institution has been formalized by the<br />
creation of national level privacy commissions and regulatroy<br />
structures that weigh the benefits of the technology<br />
against the potential for misuse.<br />
This issue may ultimately reduce to two questions: does<br />
the information transmitted from the biomtric device<br />
contain personal information (e.g., state of health, illnesses,<br />
financial data, etc.), and/or does the use of that technology,<br />
even absent any personal information in the signal<br />
itself represent a compromise of personal space and<br />
privacy? As for the first question, this will be answered<br />
on a case-by-case, device-by-device basis. The second<br />
question, while still an ongoing subject of debate, shows<br />
promise resolved by the adoption of solutions such as<br />
Anonymous Recognition ® . A more indepth discussion<br />
of Privacy Issues relating to biometrics is found earlier in<br />
Section 7.<br />
Version 2 – Summer 2008
Section 8 16 Trends and Implications<br />
Summary<br />
Simply put, biometrics have become smaller, quicker,<br />
cheaper, more accurate, and more versatile. Devices are<br />
now intuitive to use, requiring less active cooperation by<br />
the user. The integration of biometric devices into familiar<br />
and common appliance tools and into home security<br />
applications, such as door locks, is increasing. At the<br />
same time, reliability and operational stability in all environments<br />
have improved dramatically. The last barrier<br />
to growth - privacy - is being addressed by the industry<br />
in the form of new approaches that isolate personal data<br />
from biometric information.<br />
Version 2 – Summer 2008
<strong>Biometric</strong> <strong>Technology</strong> <strong>Application</strong> <strong>Manual</strong> Volume 1 1<br />
Bibliography and References<br />
In researching and compiling the BTAM, the authors<br />
relied heavily on secondary research from alreadypublished,<br />
public sources. The following sources and<br />
resources represent works from which information and<br />
knowledge was used and referenced, and for which the<br />
authors are acknowledged and thanked for sharing this<br />
knowledge.<br />
1.<br />
2.<br />
3.<br />
4.<br />
5.<br />
6.<br />
An <strong>Application</strong> of <strong>Biometric</strong> <strong>Technology</strong>: Retinal Recognition.<br />
Series #3. Ravi Das, HTG Solutions.<br />
ANSI Homeland Security Standards Panel <strong>Biometric</strong><br />
Workshop Report. April 2004.<br />
Army <strong>Biometric</strong> <strong>Application</strong>s: Identifying and Addressing<br />
Sociocultural Concerns. John D. Woodward,<br />
Katharine W. Webb, Elaine M. Newton, Melissa Bradley,<br />
David Rubenson. RAND 2001.<br />
Best Practices for Privacy-Sympathetic <strong>Biometric</strong> Deployment.<br />
International <strong>Biometric</strong> Group; IBG BioPrivacy<br />
Initiative. www.biometricgroup.com<br />
Best Practices in Testing and Reporting Performance<br />
of <strong>Biometric</strong> Devices. Version 1.0. <strong>Biometric</strong>s Working<br />
Group. January 12, 2000.<br />
Best Practices in Testing and Reporting Performance<br />
of <strong>Biometric</strong> Devices. Version 2.01. <strong>Biometric</strong>s Working<br />
Group. Mansfield and Wayman. August 2002.<br />
BioAPI Specification Version 1.1<br />
7. . The BioAPI Consortium.<br />
March 16, 2001.<br />
Version 2 – Summer 2008
Volume 1 2 Bibliography and References<br />
8.<br />
<strong>Biometric</strong> <strong>Application</strong>s: Legal and Societal Considerations.<br />
National <strong>Biometric</strong> Test Center. San Jose State<br />
University. Adapted from a presentation by Dr. Kenneth<br />
P. Nuger of SJSU Political Science Department.<br />
9. <strong>Biometric</strong> Basics presentation. U.S. Department of<br />
Defense <strong>Biometric</strong>s; DoD <strong>Biometric</strong>s Management<br />
Office; DoD <strong>Biometric</strong>s Fusion Center. June 2004.<br />
10. <strong>Biometric</strong> Identification.<br />
Simo Huopio, Department<br />
of Computer Science, Helsinki University of <strong>Technology</strong>.<br />
November 27, 1998.<br />
11. <strong>Biometric</strong> Identity Management in Large-Scale Enterprises<br />
white paper. Daon. October 2002.<br />
12. <strong>Biometric</strong> Principles, <strong>Application</strong>s, Opportunities,<br />
and Issues presentation. Dr. Craig Arndt, Mitretek<br />
Systems. 2004.<br />
13. <strong>Biometric</strong> Product Testing Final Report. Centre for<br />
Mathematics and Scientific Computing (CESG). Tony<br />
Mansfield; Gavin Kelly; David Chandler; Jan Kane.<br />
March 2001.<br />
14. <strong>Biometric</strong> Scanning, Law & Policy: Identifying the<br />
Concerns – Drafting the <strong>Biometric</strong> Blueprint. John D.<br />
Woodward. University of Pittsburgh Law Review. Fall<br />
1997.<br />
15. <strong>Biometric</strong> Systems: <strong>Technology</strong>, Design and Performance<br />
Evaluation. James Wayman; Anil Jain; Davide<br />
Maltoni; and Dario Maio. Springer-Verlag. 2005.<br />
<strong>Biometric</strong> Technologies.<br />
16. Cynthia Traeger and Howard<br />
Falk (doc id 00016761). Faulkner Information<br />
Version 2 – Summer 2008
<strong>Biometric</strong> <strong>Technology</strong> <strong>Application</strong> <strong>Manual</strong> Volume 1 3<br />
Services (www.faulkner.com), a division of Information<br />
Today (www.infotoday.com).<br />
17. <strong>Biometric</strong> <strong>Technology</strong> Testing, Evaluation, and Results.<br />
James L. Wayman. National <strong>Biometric</strong> Test Center.<br />
San Jose State University.<br />
18. <strong>Biometric</strong> <strong>Technology</strong>: Security, Legal, and Policy<br />
Implications. Legal Memorandum #12. Paul Rosenzweig,<br />
Alane Kochems, and Ari Schwartz. The Heritage<br />
Foundation. June 2004.<br />
19. <strong>Biometric</strong> Terminology Glossary.<br />
www.findbiometrics.com<br />
20. <strong>Biometric</strong> Testing. Presentation by Valorie S. Valencia,<br />
Ph.D., CEO of Authenti-Corp.<br />
21. <strong>Biometric</strong> Testing: It’s not as Easy as you Think. Valorie<br />
S. Valencia, Ph.D. <strong>Biometric</strong> Consortium Annual<br />
Conference. September 2003.<br />
22. <strong>Biometric</strong> Testing Report. <strong>Biometric</strong>s for National<br />
Security (BiNS). National <strong>Biometric</strong> Security Project<br />
(NBSP) July-August 2004.<br />
23. A <strong>Biometric</strong> White Paper.<br />
Julian Ashbourn. 1999.<br />
24. <strong>Biometric</strong>s 101: The Basics.<br />
www.findbiometrics.com<br />
25. <strong>Biometric</strong>s 2004 Delegate <strong>Manual</strong>. Tony Mansfield,<br />
Principle Research Scientist, National Physical Laboratory,<br />
U.K.<br />
26.<br />
<strong>Biometric</strong>s: A Grand Challenge. Proceedings of In-<br />
Version 2 – Summer 2008
Volume 1 4 Bibliography and References<br />
ternational Conference on Pattern Recognition. Anil<br />
Jain; Sharath Pankanti; Lin Hong; Arun Ross; James<br />
Wayman. August 2004.<br />
27. <strong>Biometric</strong>s: A Look at Facial Recognition. John D.<br />
Woodward; Christopher Horn; Julius Gatune; and<br />
Aryn Thomas. Prepared for the Virginia State Crime<br />
Commission. RAND Public Safety and Justice. 2003.<br />
28. <strong>Biometric</strong>s: A Technical Primer. Elaine M. Newton<br />
with John D. Woodward.<br />
29. <strong>Biometric</strong>s: A Unique Authentication Approach presentation.<br />
David Zhang. <strong>Biometric</strong>s Research Centre,<br />
The Hong Kong Polytechnic University. August 31,<br />
2004.<br />
30. <strong>Biometric</strong>s and the Threat to Civil Liberties. IEEE<br />
Computer magazine. April 2004.<br />
31. <strong>Biometric</strong>s: Personal Identification in a Networked Society.<br />
A. Jain; R. Bolle; S. Pankanti. Kluwer Academic<br />
Publishers, 1999.<br />
32. <strong>Biometric</strong>s As Privacy-Enhancing <strong>Technology</strong>: Friend<br />
or Foe of Privacy? Dr. George Tomko. 1998.<br />
33. <strong>Biometric</strong>s: Identity Assurance in the Information Age.<br />
John D. Woodward; Nicholas M. Orlans; Peter T. Higgins.<br />
McGraw Hill-Osborne. 2003.<br />
34. <strong>Biometric</strong>s Now and Then: The development of<br />
biometrics over the last 40 years, <strong>Biometric</strong>s in the Re-<br />
Version 2 – Summer 2008
<strong>Biometric</strong> <strong>Technology</strong> <strong>Application</strong> <strong>Manual</strong> Volume 1 5<br />
flection of Requirements. James L. Wayman. 2004.<br />
35. <strong>Biometric</strong>s Performance Testing and Reporting – Part<br />
1: Principles and Framework. ANSI ISO/IEC JTC 1/<br />
SC37 <strong>Biometric</strong>s. January 21, 2005.<br />
36. <strong>Biometric</strong>s: Personal Identification in a Networked Society.<br />
Anil Jain; Ruud Bolle; Sharath Pankanti. Kluwer<br />
Academic Publishers. 1999.<br />
37. <strong>Biometric</strong>s Unproven, Hard to Test. Ann Harrison.<br />
SecurityFocus. August 7, 2002.<br />
38. Choosing a <strong>Biometric</strong> Solution.<br />
www.findbiometrics.com<br />
39. Classification and Indexing in Large <strong>Biometric</strong> Databases.<br />
Srinivas Palla; Sharat S. Chikkerur; Venu Govindaraju;<br />
Pavan K. Rudravaram. Center for Unified<br />
<strong>Biometric</strong>s and Sensors, University of Buffalo, New<br />
York.<br />
40. Combining Multiple <strong>Biometric</strong>s. Dr. John Daugman,<br />
The Computer Laboratory, Cambridge University,<br />
UK.<br />
41. Ear <strong>Biometric</strong>s for Machine Vision. M. Burge and W.<br />
Burger. Johannes Kepler University Department of<br />
Systems Science.<br />
42. Exploring Identity Management: Selecting Identity<br />
Management Tools. A white paper prepared for IBM<br />
Version 2 – Summer 2008
Volume 1 6 Bibliography and References<br />
Tivoli Software by Enterprise Management Associates.<br />
September 2003.<br />
43. Face Recognition Vendor Test 2002 – Evaluation Report<br />
March 2003. DARPA, NIST, Dept. of Defense,<br />
Counterdrug <strong>Technology</strong> Development Program Office,<br />
and NAVSEA Crane Division.<br />
44. Facial Recognition <strong>Biometric</strong>s: Applying New Concepts<br />
on Performance Improvement and Quality Assessment.<br />
Babak Goudarzi Pour and Marcus Zackrisson.<br />
May 2003.<br />
45. Facial Scan <strong>Technology</strong>: How it Works.<br />
www.facial-scan.com<br />
46. Fingerprint Identification. Salil Prabhakar, Anil Jain.<br />
<strong>Biometric</strong>s at Michigan State University.<br />
47. Fingerprint Matching Using Minutiae and Texture<br />
Features. Proceedings of the International Conference<br />
on Image Processing (ICIP), Greece. Anil Jain,<br />
Arun Ross, Salil Prabhakar. October 2001.<br />
48. Fingerprint Vendor <strong>Technology</strong> Evaluation 2003 –<br />
Analysis Report (FpVTE 2003). Charles Wilson, R.<br />
Austin Hicklin, Harold Korves, Bradford Ulery, Melissa<br />
Zoepfl, Mike Bone, Patrick Grother, Ross Michaels,<br />
Steve Otto, and Craig Watson. NIST, Mitretek, and<br />
NAVSEA Crane Division.<br />
49. Foreign Laws Affecting Data Processing and Transborder<br />
Data Flows. Paul H. Silhan.<br />
50. Framework for Evaluating and Deploying <strong>Biometric</strong>s<br />
in Air Travel <strong>Application</strong>s: Surveillance, Trusted Trav-<br />
Version 2 – Summer 2008
<strong>Biometric</strong> <strong>Technology</strong> <strong>Application</strong> <strong>Manual</strong> Volume 1 7<br />
el, Access Control. International <strong>Biometric</strong> Group.<br />
April 3, 2002.<br />
51. Fundamentals of <strong>Biometric</strong> Authentication<br />
Technologies. James L. Wayman. National <strong>Biometric</strong><br />
Test Center.<br />
52. The Future of 3D Facial Recognition. David Tunnell,<br />
European Transport Infrastructure.<br />
53. Gray’s Anatomy: The Anatomical Basis of Medicine<br />
and Surgery, 39th Edition. Elsevier Health Sciences<br />
Division.<br />
54. Information Management: Selected Agencies’ Handling<br />
of Personal Information. U.S. General Accounting<br />
Office. (GAO-02-1058) September 2002.<br />
55. International <strong>Biometric</strong> Testing Initiatives<br />
presentation. James L. Wayman. San Jose State<br />
University.<br />
56. An Introduction to <strong>Biometric</strong> Recognition. Anil Jain,<br />
Arun Ross, and Salil Prabhakar. IEEE Transactions on<br />
Circuits and Systems for Video <strong>Technology</strong>. January<br />
2004.<br />
57. Introduction to Dataveillance and Information Privacy.<br />
Roger Clarke.<br />
58. An Introduction to Evaluating <strong>Biometric</strong> Systems.<br />
P.<br />
Jonathon Phillips, Alvin Martin, C.L. Wilson, Mark<br />
Przybocki. IEEE Computer magazine. 2000.<br />
59.<br />
Knowing Me, Knowing You: <strong>Biometric</strong>s, the Security<br />
Version 2 – Summer 2008
Volume 1 8 Bibliography and References<br />
Industry, and the Law. Nick Mallet, Martineau Johnson.<br />
November 2004.<br />
www.martineau-johnson.co.uk<br />
60. Multimodal <strong>Biometric</strong> Authentication Methods: A<br />
COTS Approach. M. Indovina, U. Uludag, R. Snelick,<br />
A. Mink, A. Jain. NIST and Michigan State University.<br />
61. National <strong>Biometric</strong> Test Center Collected Works.<br />
1997-2000. Version 1.2 James L. Wayman. San Jose<br />
State University. August 2000.<br />
62. NIST <strong>Biometric</strong> Standards Program presentation. Michael<br />
D. Hogan, Fernando Podio. September 2004.<br />
63. Overview of the OECD: What is it? History? Who does<br />
what? Structure of the organization? Organization for<br />
Economic Cooperation and Development.<br />
64. Palmprint Recognition with PCA and ICA.<br />
Tee Connie.<br />
Multimedia University, Melaka, Malaysia.<br />
65. Personal Identity Verification (PIV) of Federal Employees<br />
and Contractors. FIPS PUB 201. NIST. February<br />
25, 2005.<br />
66. Personal Verification using Palmprint and Hand Geometry<br />
<strong>Biometric</strong>. Kumar, Wong, Shen, and Jain.<br />
2003.<br />
67. Practical <strong>Biometric</strong>s: From Aspiration to Implementation.<br />
Julian Ashbourn. Springer-Verlag. 2004.<br />
68. A Practical Guide to <strong>Biometric</strong> Security <strong>Technology</strong>.<br />
Simon Liu and Mark Silverman. IT Professional. IEEE<br />
Computer Society. Jan-Feb 2001.<br />
Version 2 – Summer 2008
<strong>Biometric</strong> <strong>Technology</strong> <strong>Application</strong> <strong>Manual</strong> Volume 1 9<br />
69. Privacy and <strong>Biometric</strong>s: An Oxymoron or Time to Take<br />
a Second Look? Ann Cavoukian. 1998.<br />
70. Privacy Online: Fair Information Practices in the<br />
Electronic Marketplace. Federal Trade Commission.<br />
May 2000, p.iii.<br />
71. The Pros and Cons of Using <strong>Biometric</strong> Systems in Business.<br />
GartnerGroup. Clare Hirst. March 11, 2005.<br />
72. Protocol for the Collection, Use, Dissemination, and<br />
Storage of <strong>Biometric</strong> Data. National <strong>Biometric</strong> Security<br />
Project (NBSP).<br />
73. Putting <strong>Biometric</strong>s to the Test.<br />
Michael Fenner. The<br />
European Union Banking & Finance News Network.<br />
2003.<br />
74. Report on International Data Privacy Laws and <strong>Application</strong><br />
to the Use of <strong>Biometric</strong>s in the United States.<br />
National <strong>Biometric</strong> Security Project (NBSP). December<br />
17, 2004.<br />
75. The Science and <strong>Technology</strong> of <strong>Biometric</strong>s and Managing<br />
Human Identity abstract of presentation for<br />
American Association for the Advancement of Science.<br />
Homeland Security and Emerging <strong>Technology</strong>.<br />
Joseph Attick; Identix, Inc. February 2005.<br />
76. Security magazine. SpecXpress <strong>Biometric</strong>s. April 2004.<br />
77. Slap Fingerprint Segmentation Evaluation 2004<br />
(SlapSeg04) Analysis Report (NISTIR 7209). Bradford<br />
Ulery, Austin Hicklin, Craig Watson, Michael Indovina,<br />
and Kayee Kwong.<br />
Version 2 – Summer 2008
Volume 1 10 Bibliography and References<br />
78. Specifying <strong>Biometric</strong>s.<br />
Julian Ashbourn. 1999.<br />
79. State of <strong>Biometric</strong> Standards presentation to BiometriTech<br />
Expo. Jeff Stapleton, KPMG. June 23-26,<br />
2003.<br />
80. Substance and Quality of <strong>Biometric</strong> <strong>Technology</strong> Training<br />
Programs: An Assessment of Current Industry Capability<br />
to Meet Infrastructure Needs. National <strong>Biometric</strong><br />
Security Project (NBSP). August 2004.<br />
81. Summary of NIST Standards for <strong>Biometric</strong> Accuracy,<br />
Tamper Resistance, and Interoperability. NIST. November<br />
13, 2002.<br />
82. A Survey of Synthetic <strong>Biometric</strong>s: Capabilities and<br />
Benefits. Nicholas M. Orlans, Douglas J. Buettner, and<br />
Joe Marques. The 2004 International Conference on<br />
Artificial Intelligence.<br />
83. Technical Testing and Evaluation of <strong>Biometric</strong> Identification<br />
Devices. James L. Wayman. National <strong>Biometric</strong><br />
Test Center.<br />
84. <strong>Technology</strong> Assessment: Using <strong>Biometric</strong>s for Border<br />
Security. United States General Accounting Office<br />
(GAO). GAO-03-174. November 2002.<br />
85. U.S. Department of Defense <strong>Biometric</strong>s Standards Development<br />
Recommended Approach. <strong>Biometric</strong>s Management<br />
Office. September 2004.<br />
86. The United States Constitution.<br />
1791.<br />
Version 2 – Summer 2008
<strong>Biometric</strong> <strong>Technology</strong> <strong>Application</strong> <strong>Manual</strong> Volume 1 11<br />
87. United States Federal Laws Regarding Privacy and<br />
Personal Data and <strong>Application</strong>s to <strong>Biometric</strong>s. National<br />
<strong>Biometric</strong> Security Project (NBSP). August 5,<br />
2004.<br />
88. International Data Privacy Laws and <strong>Application</strong> to<br />
the Use of <strong>Biometric</strong>s in the United States. National<br />
<strong>Biometric</strong> Security Project (NBSP). First supplement,<br />
July 17, 2008.<br />
89. Using <strong>Biometric</strong>s. Julian Ashbourn. 1999.<br />
90. Voice Verification Makes Big Strides, But Its Still Risky.<br />
S. Cramoysan and B. Elliot. GartnerGroup Research<br />
Note. January 31, 2005.<br />
91. Voluntary Industry Standards and Their Relationship<br />
to Government Programs. Licensing Programs Division<br />
– Office of Commercial Space Transportation –<br />
U.S. Department of Transportation. January 1993.<br />
92. What Are <strong>Biometric</strong>s? www.findbiometrics.com<br />
93. What Type of Fingerprints Do You Have? A Fingerprint<br />
History. U.S.Department of Justice. U.S. Marshals<br />
Service.<br />
94. Workshop on <strong>Biometric</strong> Standards presentation. ANSI<br />
Homeland Security Standards Panel. Fernando Podio.<br />
NIST.<br />
Version 2 – Summer 2008
Volume 1 12 Legal Cases Cited<br />
Legal Cases Cited<br />
1.<br />
2.<br />
3.<br />
4.<br />
5.<br />
6.<br />
7.<br />
8.<br />
9.<br />
Breithraupt v. Abram, 352 U.S. 432 (1957)<br />
Cafeteria and Restaurant Workers Union v. McElroy,<br />
367 U.S. 886 (1961)<br />
Ewing v. Mytinger and Casselberry, Inc., 339 U.S.<br />
594 (1950)<br />
Goldberg v. Kelly, 397 U.S. 254 (1970)<br />
Katz v. United States, 389 U.S. 347 (1967)<br />
Michigan v. Stiz, 494 U.S. 444 (1990)<br />
National Treasury Employees Union v. Von Raab,<br />
489 U.S. 656 (1989)<br />
North American Cold Storage Company v. Chicago,<br />
211 U.S. 306 (1908)<br />
Perkey v. Department of Motor Vehicles, 721 P.2d.<br />
50 (Cal. App. 1986)<br />
10.<br />
Schmerber v. California, 384 U.S. 757 (1966)<br />
Version 2 – Summer 2008
<strong>Biometric</strong> <strong>Technology</strong> <strong>Application</strong> <strong>Manual</strong> Volume 1 13<br />
Acknowledgments<br />
A special thank you to the following individuals and organizations<br />
that contributed their time and expertise to<br />
the development of this volume.<br />
Jill Allison<br />
Eizen, Fineburg & McCarthy, PC<br />
Gates and Company<br />
Walter Hamilton<br />
Carol A. Harvey<br />
John Holmblad<br />
International <strong>Biometric</strong> Group<br />
Cletus B. (Boots) Kuhla<br />
Bill McLaughlin<br />
Ramzi Nasir<br />
Daniel Nickell<br />
Richard E. Norton<br />
Fernando Podio<br />
Russ Ryan<br />
John E. Siedlarz<br />
General Orlo Steele<br />
Catherine Tilton<br />
James L. Wayman<br />
Gerald O. Williams<br />
Bill Wilson<br />
Michael Yura<br />
Version 2 – Summer 2008
<strong>Biometric</strong> <strong>Technology</strong> <strong>Application</strong> <strong>Manual</strong> Index 1<br />
BTAM Index<br />
1:1 (one to one) identification p.2.12,<br />
57; 3.13, 54, 60; 7.58, 63<br />
1:N (one to many) identification<br />
p.2.12, 15, 24, 57; 3.13, 53; 7.58, 62,<br />
63, 64<br />
Access control p.1.2, 3, 4, 5; 2.7, 11, 12,<br />
14, 16, 18, 22, 26, 27, 34, 37, 38, 58;<br />
3.11, 18, 19, 21, 22, 24, 32, 38, 41,<br />
42, 49, 65, 67; 4.1, 3, 4, 14, 16, 17, 18,<br />
19, 20, 21, 22, 23, 24, 25, 27, 29, 33,<br />
37; 5.1, 21, 33, 34; 6.46; 7.26, 30, 37;<br />
8.3, 8<br />
Accredited Standards Committee X9<br />
(ASC X9 ) p.5.24<br />
Accuracy of biometric systems: see<br />
also robustness<br />
Acquisition device p.2.5, 37<br />
Active imposter acceptance p. 2.37<br />
Alarms p. 4.27<br />
Algorithm p. 2.37<br />
American National Standards Insti-<br />
tute (ANSI ) p. 2.38; 5.29<br />
And (anding) / or (oring) process p. 2.38<br />
ANSI: see American National Stan-<br />
dards Institute<br />
ANSI INCITS: see International Com-<br />
mittee for Information <strong>Technology</strong><br />
Standards<br />
Anti-abuse policy p. 7.71-72<br />
Asynchronous multi-modality p. 2.39<br />
<strong>Application</strong> concept: see system con-<br />
cept<br />
<strong>Application</strong>, definition of p. 2.38<br />
Version 2 – Summer 2008<br />
<strong>Application</strong> profile p. 2.38<br />
<strong>Application</strong> program interface (API)<br />
p. 2.29, 38<br />
<strong>Application</strong> specific integrated circuit<br />
(ASIC) p. 2.38<br />
Army Research Lab (ARL) p. 6.43<br />
ASC X9: see Accredited Standards<br />
Committee X9<br />
Attack p. 2.39<br />
Attempt p. 2.39<br />
Attribute authority p. 2.39<br />
Audit trail p. 2.39<br />
Authentication p. 2.40<br />
Authentication routine p. 2.40<br />
Automated Access Control Portal p.<br />
4.24-29<br />
Automated fingerprint identification<br />
system (AFIS) p. 2.37, 40<br />
Automatic ID / auto ID p. 2.40<br />
Background investigations p. 2.23<br />
Base standard p. 2.40<br />
Behavioral biometric p. 2.41<br />
Bertillon, Alphonse p. 2.2<br />
Bertillonage p. 2.2<br />
Bifurcation p. 2.41; 3.14<br />
Bio API p. 2. 41; 6.32<br />
<strong>Biometric</strong>, definition p. 2.41<br />
<strong>Biometric</strong> application p. 2.41<br />
<strong>Biometric</strong> application programming<br />
interface (BAPI) p. 2.41; 5.17, 20<br />
<strong>Biometric</strong> Consortium p. 5.10, 29, 30<br />
<strong>Biometric</strong> data p. 2.42<br />
<strong>Biometric</strong> engine p. 2.42
Index 2 <strong>Biometric</strong> <strong>Technology</strong> <strong>Application</strong> <strong>Manual</strong><br />
<strong>Biometric</strong> identification device p.<br />
2.42<br />
<strong>Biometric</strong> identification product p.<br />
2.42<br />
<strong>Biometric</strong> sample p. 2.42<br />
<strong>Biometric</strong> system or subsystem p.<br />
2.43; elements of p. 2.19-29<br />
<strong>Biometric</strong> system-level criteria p.<br />
2.18-19<br />
<strong>Biometric</strong> taxonomy p. 2.44<br />
<strong>Biometric</strong>, types of p. 1.3<br />
<strong>Biometric</strong> technology: appropriate<br />
application of p. 1.4-5; 2.10-13;<br />
3.2-46; 4.2-5; components of p.<br />
2.19; 3.1; definition p. 2.44; his-<br />
tory of p. 2.1-5; general mechanics<br />
of p. 2.7-10; legal considerations<br />
p.7.1-34; new developments p.<br />
8.2-5, 14; standards sec. 5; testing<br />
and evaluation sec. 6<br />
<strong>Biometric</strong>s Fusion Center (BFC) p.<br />
6.42<br />
<strong>Biometric</strong>s <strong>Technology</strong> Center p. 6.44<br />
Body odor: see olfactory analysis<br />
Body salinity p. 3.63<br />
“Breeder documents” p. 2.7, 22<br />
Buffer overflow p. 2.45<br />
Capture p. 2.7, 16, 19, 21, 25, 27, 42,<br />
45, 49, 53, 56, 58; 3.5, 9, 13, 14, 15,<br />
16, 19, 21, 22, 32, 36, 39, 41, 44, 62,<br />
66, 68; 5.27; 6.20; 8.1, 4 7, 13; see<br />
also failure to acquire<br />
Carnegie Mellon p. 6.45<br />
CBEFF: see Common <strong>Biometric</strong>s Ex-<br />
change File Format<br />
Center for Unified <strong>Biometric</strong>s and<br />
Sensors (CUBS) p. 6.44<br />
Certificate, certificate authority, certi-<br />
fication p. 2.46<br />
Chaotic morphogenesis p. 2.46<br />
Charge coupled device (CCD) p. 3.21,<br />
44, 65<br />
Claim of identity p. 2.12, 46; 7.54<br />
Claimant p. 2.46<br />
Closed-set identification p. 2.46<br />
CoE no. 108 p. 7.32-33<br />
Combined Domains p. 4.41-43<br />
Combined biometrics p. 8.9, 14<br />
Common <strong>Biometric</strong>s Exchange File<br />
Format (CBEFF) p. 2.29, 45; 5.3, 4,<br />
20, 23, 24, 27, 28, 29, 31; 6.32, 33<br />
Common criteria p. 2.47; 6.27<br />
Common Data Security Architecture<br />
(CDSA) p. 5.23<br />
Compare p. 2.47<br />
Comparison, comparison errors p.<br />
2.13-16, 19, 26-28<br />
Comparison of biometric technolo-<br />
gies p. 3.45-55<br />
Consent p. 2.23; 4.27; 7.5, 16, 16, 20,<br />
25, 27, 30, 32, 33, 35, 37, 43, 53, 63,<br />
67, 68, 70<br />
Contact/contactless p. 2.47<br />
Controlled environment p. 3.11<br />
Crossover error rate (CER) p. 2.47, 49<br />
Costs p. 1.4; 3.28; 4.22; 6.17, 30; 8.3,<br />
8, 9, 10<br />
Cumulative match characteristic<br />
(CMC) curve p. 6.13-15<br />
D prime p. 2.47<br />
Version 2 – Summer 2008
<strong>Biometric</strong> <strong>Technology</strong> <strong>Application</strong> <strong>Manual</strong> Index 3<br />
DARPA p. 3.62<br />
Data Protection Act p. 7.25-30<br />
Data Protection Authority p. 7.33<br />
Data Protection Directive p. 7.18, 19,<br />
39, 40, 41<br />
Databases: see template storage<br />
Daugman, John p. 2.4; 3.21; 8.9<br />
Decision errors p. 2.13, 14, 30; 4.16<br />
Degrees of freedom p. 2.48<br />
Demographics p. 4.6; 6.22<br />
Detection of error trade-off (DET)<br />
curve p. 6.14, 35<br />
Digital signature p. 1.5; 2.48, 54, 56,<br />
59; 5.3, 4<br />
Disclosure p. 4.11; 6.23; 7.57, 62-65,<br />
68<br />
Directive 94/46/EC p. 7.19-24<br />
Discriminant training p. 2.48<br />
DNA (deoxyribonucleic acid) p. 2.17,<br />
53; 3.53, 59, 63-64; 7.5, 53; 8.3, 8<br />
Door controller unit p. 4.25<br />
Dynamic signature analysis p. 3.1, 2,<br />
3, 47<br />
Ear shape p. 2.48; 3.65-66<br />
Eigenface p. 2.48; 3.5-6<br />
Eigenhead p. 2.48<br />
Eigenpalm p. 3.30<br />
Elastic bunch graph matching (EBGM)<br />
p. 3.7<br />
Encryption p. 1.5; 2.9, 35, 48, 54, 56,<br />
59, 62; 5.4; 6.46; 7.30, 59, 64<br />
End user p. 2.43, 45, 46, 49, 56, 62, 63;<br />
3.3, 8; 5.5, 10, 14, 15, 30; 6.2, 4, 8, 25;<br />
8.2, 9, 11<br />
End user adaptation p. 2.49<br />
Version 2 – Summer 2008<br />
Enrollee p. 2.49<br />
Enrollment p. 1.2, 8; 2.7, 8, 9, 10, 12,<br />
13, 14, 15, 17, 19, 20, 21, 22, 23, 24,<br />
25, 27, 28, 29, 32, 42, 43, 44, 49, 50,<br />
51, 52, 53, 57, 61, 6; 3.2, 3, 4, 5, 10,<br />
11, 20, 23, 26, 27, 28, 33, 39, 41, 44,<br />
47, 50, 53, 66; 4.7, 13, 20, 21, 23, 24,<br />
25, 29, 30, 31, 33, 34, 35, 36, 37, 38,<br />
39, 40, 42, 43; 5.13, 27; 6.5, 12, 20,<br />
31; 7.3, 5, 6, 15, 49, 50, 56, 61, 63, 64,<br />
77, 78; 8.5<br />
Enrollment station p. 2.43<br />
Enrollment time p. 2.32, 49<br />
Equal error rate (EER) p. 2.47, 49; see<br />
also crossover error rate<br />
Errors, causes of p. 6.19; see also fail-<br />
ure to acquire, failure to enroll,<br />
false accept, false match, false non-<br />
match, false reject<br />
European <strong>Biometric</strong>s Forum (EBF) p.<br />
6.44<br />
European Committee for Standardiza-<br />
tion, Information Society Standard-<br />
ization System (CEN/ISSS) p. 5.15<br />
European Union p. 7.23, 24, 39<br />
European Union Data Protection Di-<br />
rective (EU Privacy Directive) p.<br />
7.40-42<br />
Evaluation protocols p. 6.36<br />
Extraction p. 2.49<br />
Face monitoring p. 2.49; see also fa-<br />
cial imaging, facial thermography<br />
Face Recognition Grand Challenge p.<br />
6.39<br />
Face Recognition Vendor Test (FRVT)
Index 4 <strong>Biometric</strong> <strong>Technology</strong> <strong>Application</strong> <strong>Manual</strong><br />
p. 6.38<br />
Facial imaging, facial recognition p.<br />
3.5-12<br />
Facial thermography p. 2.49; 3.8,<br />
66-67<br />
Failure to acquire, failure to acquire<br />
rate p. 2.16, 26, 49-50; 4.15, 30, 31;<br />
6.20, 21; 8.13<br />
Failure to enroll p. 2.26; 4.9, 30, 31;<br />
6.19-20<br />
False accept, false accept rate (FAR)<br />
p. 2.14, 15, 16, 26, 27, 29, 30, 49, 50;<br />
3.4; 4.14, 16; 6.2, 18, 21, 26; 7.14, 15;<br />
8.13; see also false non-match<br />
False match, false match rate (FMR) p.<br />
2.13, 14, 15, 16, 51; 3.23; 4.9, 14, 16,<br />
18, 30, 31; 6.13, 14, 16, 19<br />
False non-match, false non-match<br />
rate (FNMR) p. 2.13, 14, 15, 16, 51;<br />
4.14, 16, 17, 30, 31, 32; 6.15, 16, 19<br />
False reject, false reject rate (FRR) p.<br />
2.14, 15, 16, 26, 27, 29, 30, 49, 51,<br />
52, 59; 3.17; 4.9, 14, 15, 16, 18; 6.2,<br />
13, 14, 19, 21; 7.14, 15, 28, 73; 8.13;<br />
see also false non-match; failure to<br />
acquire<br />
Federal Privacy Act of 1974 p. 7.35<br />
FERET p. 6.38, 43<br />
Field test p. 2.52; 6.24<br />
Finger geometry p. 3.19, 37, 67<br />
Finger image p. 1.3; 2.40, 52, 56, 57;<br />
3.30; 5.2<br />
Fingernail patterns p. 8.4<br />
Fingerprint p. 2.1-5, 17-18, 20, 25, 26,<br />
34, 37, 40, 41, 53, 54, 58, 60, 63; 3.1,<br />
4, 12, 13, 14, 15, 16, 17, 18, 20, 23,<br />
30, 31, 32, 33, 37, 45, 48, 65; 4.11,<br />
15, 20, 21, 31; 5.2, 30; 6.1, 7, 37, 38,<br />
41, 44, 45; 7.12, 13, 14, 27, 28, 48,<br />
50, 59, 73, 76; 8.1, 3, 6, 9, 10, 11, 13<br />
Fingerprint sensor p. 2.53; 3.37<br />
Fingerprint Verification Competition<br />
(FVC) p. 6.45<br />
Fourier transform p. 3.30<br />
Foundation documents p.2.22, 53, 61;<br />
see also “breeder documents”<br />
FpVTE 2003 p. 6.37-38<br />
Friction ridges p. 2.53<br />
Function creep p. 7.4, 45<br />
Gabor filters p. 3.7, 30<br />
Gait p. 3.55, 68, 69, 41; 8.4, 7<br />
Galton, Sir Francis p. 2.3<br />
Genetic penetrance p. 2.53<br />
Hand geometry p. 2..4, 58; 3.1, 18,<br />
19, 20, 21, 30, 32, 37, 49, 65, 67, 68;<br />
4.11, 20, 21; 6.44; 7.74; 8.1, 3<br />
Hand vascular pattern recognition<br />
systems: see vein pattern<br />
Hash function p. 2.54<br />
Hashing p. 2.35, 54<br />
Health Insurance Portability and Ac-<br />
countability Act (HIPAA) of 1996 p.<br />
7.40, 71<br />
Herschel, Sir William p. 2.2<br />
Henry, Sir Edward Richard p. 2.3<br />
Human Recognition Services Module<br />
(HRS) p. 5.23<br />
Identification p. 2.15-16; 6.4; 7.6, 64;<br />
see also 1:N identification systems<br />
Version 2 – Summer 2008
<strong>Biometric</strong> <strong>Technology</strong> <strong>Application</strong> <strong>Manual</strong> Index 5<br />
Identification applications p. 2.12;<br />
3.29<br />
Identification levels p. 1.3<br />
Identifier p. 2.55<br />
Identity p. 1.2, 2.55<br />
Identity management: p. 1.6-8; defi-<br />
nition p. 1.6<br />
Identity source documents: see<br />
“breeder documents”<br />
Identity theft p. 1.4-6; 2.33; 3.43; 5.49,<br />
31; 7.56, 75; 8.11<br />
Impediments to use of biometrics p.<br />
1.4<br />
Imposter p. 2.55<br />
INCITS: see International Committee<br />
for Information <strong>Technology</strong> Stan-<br />
dards<br />
INCITS M1 p. 2.55; 5.8, 11-12, 18-22;<br />
6.24, 32-33<br />
Information access control: see logi-<br />
cal access control<br />
Information assurance (IA) p. 2.55<br />
Information systems p. 4.11, 14; 7.49<br />
Information <strong>Technology</strong> Industry<br />
Council (<strong>ITI</strong>) p. 2.56<br />
Infra-red (IR) light p. 3.21-22, 67<br />
In-house test p. 2.56<br />
Integrated Automated Fingerprint<br />
Identification System (IAFIS) p.<br />
2.54; 6.41<br />
Interface with other systems p. 2.29;<br />
4.5, 6<br />
International <strong>Biometric</strong> Industry As-<br />
sociation (IBIA) p. 2.4; 5.31; 7.70<br />
International <strong>Biometric</strong>s Association<br />
(IBA) p. 2.4<br />
Version 2 – Summer 2008<br />
International <strong>Biometric</strong>s Group (IBG)<br />
p. 6.46<br />
International Civil Aviation Organiza-<br />
tion (ICAO) p. 5.5, 7, 14, 28<br />
International Committee for Informa-<br />
tion <strong>Technology</strong> Standards (INCITS)<br />
p. 2.55; 5.18; 6.32; see also INCITS<br />
M1<br />
International Electrotechnical Com-<br />
mission (IEC) p. 2.54; 5.16; 6.28-30<br />
International Engineering Consor-<br />
tium p. 5.7<br />
International Standards Organization<br />
(ISO) p. 2.56; 5.15-16; see also ISO/<br />
IEC JTC 1<br />
Iridology p. 3.24<br />
Iris recognition p. 2.4-5, 28; 3.1, 21-25;<br />
4.11, 15; 5.21; 6.39-40; 8.1, 7, 10<br />
IrisCode ® p. 2.56; 3.22-23<br />
ISO/IEC JTC 1 p. 5.2, 4, 16-19, 30<br />
Japan: see Personal Information Pro-<br />
tection Act<br />
Johns Hopkins University p. 6.46<br />
Joint Technical Committee 1 (JTC 1) p.<br />
2.56; 5.2, 4, 16<br />
Key p. 2.56<br />
Keystroke analysis / keystroke dynam-<br />
ics p. 3.25-29<br />
Latent, latent print p. 2.56<br />
Law: international p. 7.18-34; U.S. p.<br />
7.8-17<br />
LDC/University of Pennsylvania p.<br />
6.45
Index 6 <strong>Biometric</strong> <strong>Technology</strong> <strong>Application</strong> <strong>Manual</strong><br />
LISTSERV p. 5.30<br />
Live capture p. 2.56<br />
Local correlation analysis p. 3.7<br />
Local feature analysis p. 3.6<br />
Logical access control (information<br />
access control) p. 3.42; 4.3; 6.46<br />
M 1.2 p. 5.2, 6, 19-20<br />
M 1.3 p. 5.20<br />
M 1.4 p. 5.21<br />
M 1.5 p. 5.11, 21-22; 6.2<br />
M 1.6 p. 5.2, 22<br />
M1 Technical Committee on<br />
<strong>Biometric</strong>s: see INCITS M1<br />
Match, matching: see 1:1, 1:N, com-<br />
pare, comparison<br />
Michigan State University p. 6.44-45<br />
Miniaturization p. 8.8, 13<br />
Minutiae p. 2.57; 3.14-18, 30; 5.2, 20<br />
Mission creep: see function creep<br />
MIT/Lincoln Lab p. 6.45<br />
National <strong>Biometric</strong> Security Project<br />
(NBSP) p. Abstract. ix-xi, xvi-xvii;<br />
2.4-5; 6.20-25; 6.33, 41-42; 7.24;<br />
8.11; see also Qualified Products<br />
List<br />
National Institute of Standards and<br />
<strong>Technology</strong> (NIST) p. 3.10; 5.10,<br />
14, 28-32; 6.37-41; see also FpVTE<br />
2003<br />
National Physical Laboratory (NPL) p.<br />
2.4; 6.42<br />
National Security Agency (NSA) p.<br />
5.30<br />
Networking of biometric systems p.<br />
2.19-29<br />
NIST: see National Institute of Stan-<br />
dards and <strong>Technology</strong><br />
NIST/BC <strong>Biometric</strong> WG p. 5.29<br />
NISTIR p. 5.28<br />
Non-repudiation p. 2.57<br />
Notre Dame p. 6.45<br />
OASIS: see Organization for the Ad-<br />
vancement of Structured Informa-<br />
tion Standards<br />
Olfactory analysis p. 3.62; 8.4<br />
One-to-many comparison p. 2.57; see<br />
also 1:N identification<br />
One-to-one comparison p. 2.57; see<br />
also 1:1 identification<br />
Oneness of source p. 1.2<br />
Open Group, The p. 5.23<br />
Open-set identification p. 2.57<br />
Operating environment p. 2.11;<br />
4.5-13; 6.9, 26, 37<br />
Operating speed p. 4.8<br />
Operational considerations, opera-<br />
tional constraints p. 4.5-7<br />
Operational testing p. 6.8-12<br />
Optical sensor p. 2.57; 3.36<br />
Organization for the Advancment of<br />
Structured Information Standards<br />
(OASIS) p. 5.23<br />
Organization for Economic Coopera-<br />
tion and Development (OECD) p.<br />
7.18<br />
Out of set p. 2.57<br />
Palmprint p. 2..2; 3.30-32<br />
Passive imposter acceptance p. 2.58<br />
Version 2 – Summer 2008
<strong>Biometric</strong> <strong>Technology</strong> <strong>Application</strong> <strong>Manual</strong> Index 7<br />
Password p. 58; 3.1, 25-29, 43; 4.16-19,<br />
22, 23; 7.55-56<br />
Performance: criteria p. 2.58; mea-<br />
surement of p. 6.16-20; specifica-<br />
tion p. 4.7-11; variables affecting<br />
p. 2.31-32<br />
Persistence p. 8.5<br />
Personal biometric criteria p. 2.17-18<br />
Personal data protection law (CPDL)<br />
p. 7.32<br />
Personal digital assistant (PDA) p. 3.2<br />
Personal Information Protection Act<br />
(PIPA) p. 7.68-69<br />
Physical access control p. 4.3, 33-36<br />
PIN p. 2..32, 46, 58; 3.50<br />
Platen p. 2.58<br />
Plug-and-play p. 2.58<br />
Podio, Fernando p. 5.10<br />
Police Information <strong>Technology</strong> Orga-<br />
nization (PTO) p. 6.38<br />
Positive ID systems p. 2.14, 16<br />
Pre-enrollment process p. 2.21-23<br />
Print Card p. 2.37<br />
Print match or identification p. 2.37<br />
Privacy concerns p. 1.5; 7.35, 40, 56;<br />
see also law<br />
Private key p. 2.48, 59<br />
Public key p. 2.46, 48, 59; public key<br />
cryptography (PKC) p. 2.58; public<br />
key infrastructure (PKI) p. 2.58<br />
Purdue/BSPAL p. 6.46<br />
Purkinje, Johannes Evangelista p. 2.2<br />
Qualified Products List (QPL) p. 6.20,<br />
21, 42<br />
Version 2 – Summer 2008<br />
Random environment p. 3.11<br />
Receiver operating characteristic<br />
(ROC) curves p. 2.59; 6.13<br />
Recognition p. 2.59<br />
Reference, reference model p. 1.2;<br />
6.19; see also template<br />
Region of interest p. 3.43<br />
Religious concerns p. 7.76<br />
Request to exit (RX) p. 4.26, 27<br />
Requirements definition p. 4.1, 2,<br />
7-12<br />
Response time p. 2.60<br />
Retinal scan p. 2.4; 3.32-35<br />
Rhythm/tapping sequence p. 3.69,<br />
70; see also keystroke analysis<br />
Ridge, ridge ending p. 2.60; 3.13, 15<br />
Robustness p. 2.61; 3.3, 8, 17, 19, 23,<br />
27, 31, 33, 37, 40, 45<br />
Sample size, sample error p. 6.5,<br />
22-23<br />
San Jose State University p. 2.44;<br />
6.45<br />
Sandia National Laboratory p. 6.43<br />
SC 17 p. 5.16-17<br />
SC 27 p. 5.5, 16-17; 6.27<br />
SC 37 p. 5.2, 5-9, 16-19, 22, 30, 32<br />
SCF Data Security p. 5.24<br />
Scalability p. 1.4; 6.30-31<br />
Scenario testing p. 5.22; 6.6, 8, 21, 46<br />
Secure Hash Algorithm 1 p. 2.54<br />
Security testing p. 6.27<br />
Sensor, definition of p. 2.61<br />
Signature: see dynamic signature<br />
analysis
Index 8 <strong>Biometric</strong> <strong>Technology</strong> <strong>Application</strong> <strong>Manual</strong><br />
Skin spectroscopy, skin texture, skin<br />
contact p. 3.35-38<br />
Skull resonance p. 3.70<br />
Source documents p. 2.22, 44, 53,<br />
61; see also “breeder documents,”<br />
foundation documents<br />
Speech recognition: see voice recog-<br />
nition<br />
Speaker verification p. 3.40-43, 53, 59<br />
Spoofing p. 3.33, 37; 6.2, 16, 25<br />
Standards: compliance to p. 1.4; 4.32;<br />
6.31-34<br />
Support vector machine p. 3.6, 7<br />
Symmetric key p. 2.62<br />
System concept, application concept<br />
p. 4.14<br />
Systems specification p. 4.2, 12-14<br />
Tailgating p. 4.27-28<br />
Task Groups p. 5.11-13<br />
Technical Advisory Group (TAG) p.<br />
2.62; 5.18<br />
Technical requirements p. 4.13<br />
<strong>Technology</strong> limitations p. 4.8<br />
<strong>Technology</strong> Testing (algorithm verifi-<br />
cation) p. 5.22, 66<br />
Template p. 1.2, 9; 2.6-7, 10-12, 13-16,<br />
19-22, 25-29, 33-34, 36, 37, 42, 43,<br />
46, 47, 49, 51, 55, 56, 57, 60, 62, 63;<br />
3.3-7, 10-11, 14-15, 22-24, 26-28,<br />
39, 43-44, 47-54, 62, 66; 5.2, 20; 6.1;<br />
7.5, 14; 37, 54, 75; 8.5, 7; see also da-<br />
tabase integrity and security<br />
Testing: performance comparison p.<br />
6.20-21; protocols p. 6.34; types p.<br />
6.25-28<br />
Third party test p. 2.62<br />
Threshold, decision p. 2.8; 7.14-15<br />
Throughput, throughput rate p. 2..62;<br />
4.7-9, 32; 6.2, 7, 15, 17, 20-21, 30-31;<br />
8.3; see also operating speed<br />
TNO TPD p. 6.43<br />
Transaction management p. 2.35<br />
Transaction storage p. 2.35<br />
Transfer of data, international p. 7.41<br />
Type I error p. 2.51-52, 62; see also<br />
false reject<br />
Type II error p. 2.50, 62<br />
Typing rhythms: see keystroke analy-<br />
sis<br />
United Kingdom: see Data Protection<br />
Act<br />
United States Naval Academy p. 6.46<br />
Universal unique identifiers<br />
p.7.57-58<br />
University of Bologna p.6.45<br />
University of Buffalo p. 6.44<br />
University of California San Diego p.<br />
6.45<br />
University of Edinburgh p. 6.45<br />
University of Maryland p. 6.45<br />
User p. 2..6-12, 20-21, 63; 4.4-7;<br />
7.55-67, 74-76; education of p.<br />
7.77-78; see also acceptance of bio-<br />
metric technologies<br />
Validation p. 2.63<br />
Vein pattern p. 3.43-46; 8.4; see also<br />
facial thermography<br />
Verification, verify p. 2.62; applications<br />
p. 2.12, 21-22; time p. 2.34-35<br />
Visitor and Immigrant Status Indicator<br />
Version 2 – Summer 2008
<strong>Biometric</strong> <strong>Technology</strong> <strong>Application</strong> <strong>Manual</strong> Index 9<br />
<strong>Technology</strong> (VISIT) p. 6.38; 7.46-48<br />
Voice print: see speaker verification<br />
Voice recognition p. 2.5; 3.38-43; 4.11;<br />
8.1-2<br />
Volatiles p. 2.63; 3.62<br />
von der Marlsburg, Christoph p. 3.7<br />
Vulnerability p. 4.5-6; 6.9, 16, 25-26;<br />
7.66, 71; see also spoofing<br />
Wavelet p. 3.30<br />
Wavelet scalar quantization p. 2.63<br />
WD 19792 p. 6.27<br />
West Virginia University p. 6.45<br />
WG 1, 2, 3, 4, 6 p. 5.17-18, 22; WG 5<br />
p. 5.18; 6.32<br />
X9.84 <strong>Biometric</strong>s p. 2.64; 5.24; see<br />
also Accredited Standards Com-<br />
mittee X9<br />
XCBF p. 5.3-4, 23<br />
XML p. 5.4, 23<br />
Zero effort imposter, zero effort at-<br />
tack p. 2.30, 64<br />
Version 2 – Summer 2008
BIOMETRICS FOR NATIONAL SECURITY (BiNS V)<br />
Contract Number: H98230-06-C-0382<br />
Deliverable: 08-037-CDRL-A006<br />
NBSP Coordination and Approval<br />
Task Manager: Russ Ryan<br />
Program Manager: Valerie Evanoff<br />
Program Director: Richard E. Norton<br />
Quality Control: Carol Harvey<br />
Government Acceptance<br />
_________________________________<br />
Contract Technical Representative Name<br />
_________________________________<br />
Signature<br />
_________________________________<br />
Date